Friday, 23 June 2017

198 Million US Voter Records Leaked

Earlier this week, it was reported that 198 MILLION US voter records were leaked on a public Amazon S3 storage server owned by a Republican data analytics firm, Deep Root Analytics. This is reportedly the biggest leak of its kind in history.

Various databases were found on the server, containing personal information of American citizens, including their name, date of birth, home address, phone number, and voter registration details- which shows their own voting preference. Deep Root Analytics, a republican data analytics firm, uses various data sets to help their political partners target potential voters, by analyzing big data, and was used in the 2016 presidential campaign.

They have since spoken out to take responsibility for the leak, whilst acknowledging they have no reason to believe their security systems were compromised.

Terry Ray, chief product strategist at Imperva, gave some insight on the breach;

“This was less a leak, but was rather an identified exposed server. From the information provided, the data is not known to have been stolen necessarily.  It sounds to me that this is another case of incorrectly secured cloud based systems. Certainly, security of private data – especially my data, as I am a voter – should be of paramount concern to companies who offer to collect such data, but that security concern should ratchet up a few marks when the data storage transitions to the cloud, where poor data repository security may not have the type of secondary data centre controls of an in-house, non-cloud data repository.

With more data being collected by companies than ever before, securing it is no small task. There are many factors that need to be taken into consideration. Are the environment and the data vulnerable to cyber threats? Who has access to the data? And there’s also the issue of compliance. Big data deployments are subject to the same compliance mandates and require the same protection against breaches as traditional databases and their associated applications and infrastructure.

He added-

“Much of the challenge of securing big data is the nature of the data itself. Enormous volumes of data require security solutions built to handle them. This means incredibly scalable solutions that are, at a minimum, an order of magnitude beyond that for traditional data environments. Additionally, these security solutions must be able to keep up with big data speeds. The multiplicity of big data environments is what makes big data difficult to secure, not necessarily the associated infrastructure and technology. There is no single logical point of entry or resource to guard, but many different ones, each with an independent lifecycle.”

Andrew Clarke, EMEA director at One Identity gave some pointers on how best to avoid this type of data breach in the future;

  • “Always ensure that only the right people can access data
  • Empower the owners of the data to easily put the proper access controls in place
  • Don’t assume that just because it is password it is safe (use multifactor and role-based access controls)
  • Slow down and make sure that governance is in place, especially for data stored in the cloud this means: The owners of the data decide what is right (not IT); making it easy for someone that is right for the data to get to the data; run periodic attestations to validate that all of the people with permission to access the data actually should have that permission”

He adds- “Once a “security first” and “Identity is the new perimeter” attitude is adopted, incidents will be dramatically reduced”.


The post 198 Million US Voter Records Leaked appeared first on IT SECURITY GURU.

from 198 Million US Voter Records Leaked

Westfield CIO: Data And Personalisation Are Key To Shopping Centre Survival

Shopping is fast becoming an online activity, but Westfield has a plan to keep consumers coming back to its two London facilities.

View Full Story 


The post Westfield CIO: Data And Personalisation Are Key To Shopping Centre Survival appeared first on IT SECURITY GURU.

from Westfield CIO: Data And Personalisation Are Key To Shopping Centre Survival

Fraudster Made £100K from Online Banking Bug

An online fraudster has been jailed after pocketing nearly £100,000 by exploiting a glitch in his online banking platform.

View Full Story 

ORIGINAL SOURCE: Info Security Magazine

The post Fraudster Made £100K from Online Banking Bug appeared first on IT SECURITY GURU.

from Fraudster Made £100K from Online Banking Bug

Variant of Marcher Android malware poses as Flash Player update

Developers of the Android banking malware Marcher are now disguising the trojan as an Adobe Flash Player update, the cloud security company Zscaler has reported in a Thursday blog post.


View Full story 


The post Variant of Marcher Android malware poses as Flash Player update appeared first on IT SECURITY GURU.

from Variant of Marcher Android malware poses as Flash Player update

Blockchain: Helping secure digital identities

Blockchain allows individuals, independent of each other, to rely on the same shared, secure and auditable source of information for managing identity.

View Full Story 

ORIGINAL SOURCE: Information Age

The post Blockchain: Helping secure digital identities appeared first on IT SECURITY GURU.

from Blockchain: Helping secure digital identities

RIG Exploit Kit Usage Declines as Browsers Are Getting Harder to Hack

Another major exploit kit (EK) looks like it’s heading for the EK graveyard as activity from the RIG EK has fallen to less than 25% of what the exploit kit used to handle three months ago, in March 2017.

View Full Story

ORIGINAL SOURCE: Bleeping Computer

The post RIG Exploit Kit Usage Declines as Browsers Are Getting Harder to Hack appeared first on IT SECURITY GURU.

from RIG Exploit Kit Usage Declines as Browsers Are Getting Harder to Hack

Cybersecurity Ventures Predicts 3.5 MILLION Cybersecurity Jobs by 2021!

This week, Cybersecurity Ventures released their latest report, predicting that by 2021, there will be 3.5 million unfilled cybersecurity jobs; a dramatic and noticeable increase from previous estimates. Previous reports have estimated much smaller estimates when predicting the skills gap of the future; the 2015 report by Symantec reported a projected shortfall of 1.5 million from the global demand of 6 million for cybersecurity workers, and the 2016 ISACA skills gap analysis predicted a global shortage of 2 million cybersecurity professionals by 2019.

Either way, these numbers illustrate pretty clearly that the cybersecurity world is struggling to keep up with the huge increase in cybercrime.

With Cybercrime estimated to cost the World $6 trillion annually by 2021, and that figure consistently rising, the growing skills gap is concerning to many all over the World. NASSCOM estimates India alone will need 1 million cybersecurity professionals to meet the demands of its ever expanding economy; Intel Corp’s 8 nation study suggests a shortage of cybersecurity  professional shortage in all countries in the study ((Israel, the US, Australia, France, Germany, Japan, the UK and Mexico). Australia is reportedly the most at risk, and is facing the largest hit; CIO reported that 88% of IT professionals  and decisions makers feared the cybersecurity shortage both within their own organisation, and as a nation.

So what can be done to resolve this impending issue?

Robert Herjavec, founder and CEO at Herjavec Group​ says, ”Unfortunately the pipeline of security talent isn’t where it needs to be to help curb the cybercrime epidemic. Until we can rectify the quality of education and training that our new cyber experts receive, we will continue to be outpaced by the Black Hats.”

He adds, ““I highly recommend pursuing your education in information technology or computer science” says Herjavec, directing his comments at IT workers and new entrants to the field — including college graduates. “There is a zero-percent unemployment rate in cybersecurity and the opportunities in this field are endless. Gone are the days of siloed IT and security teams. All IT professionals need to know security – full stop. Given the complexity of today’s interconnected world, we all have to work together to support the protection of the enterprise.”


The post Cybersecurity Ventures Predicts 3.5 MILLION Cybersecurity Jobs by 2021! appeared first on IT SECURITY GURU.

from Cybersecurity Ventures Predicts 3.5 MILLION Cybersecurity Jobs by 2021!

A Quantum Encryption Solution is Here!

Encryption gateway vendor eperi and Deutsche Telekom have presented a joint quantum encryption solution that will prevent even the most advanced computers from cracking encryption algorithms. The approach, one of the first of its kind, will also be able to protect data in SaaS applications like Office 365, Salesforce or custom apps against this threat. Key to this is PQC (Post Quantum Cryptography), advanced encryption algorithms developed by the Technische Universität (TU) Darmstadt.

“Quantum computers are not science fiction anymore,” said Elmar Eperiesi-Beck, CEO of eperi. “There is growing evidence that intelligence agencies are working on prototypes that allow them to crack currently safe algorithms. In the near future, the most important of our secure encryption algorithms could become obsolete, a potential nightmare scenario for data protection efforts.”

The team, headed by Prof. Dr. Johannes Buchmann from TU Darmstadt, has been cooperating with eperi and Deutsche Telekom to integrate these PQC algorithms into eperi’s encryption gateway. This solution encrypts data before it leaves an organisation to be processed or stored in the cloud, allowing enterprises to remain in control of who can access their data, even in decentralised IT structures.

In two session talks at Magenta Security 2017, Munich Germany, which was where the announcement was made, eperi founder and CEO Elmar Eperiesi-Beck and Professor Johannes Buchmann explained how all organisations profit from better data protection in the cloud era. Personal data, such as employee information, or sensitive enterprise data like patents and research are an easy target for espionage and data theft. Progressively stricter data protection laws like the EU General Data Protection Regulation (GDPR) are putting immense pressure on everyone processing data.

“One of the biggest advantages of the eperi Gateway is that the user can fully control the encryption and switch out their algorithms if needed,” said Prof. Buchmann. “To be prepared for the threats of tomorrow, organisations have to protect themselves now. The eperi Gateway allows them to do that in an efficient and totally secure way.”

The post A Quantum Encryption Solution is Here! appeared first on IT SECURITY GURU.

from A Quantum Encryption Solution is Here!

Learning the lessons from cyber attacks

Cybercriminals have been known to target businesses across all sectors. Recent high-profile cyber attacks have successfully breached well-known brands including telecoms providers, retailers and banks. Evidently, all industries are potentially vulnerable. As businesses become ever more negatively affected by cyber attacks, lessons need to be learnt and effective cyber defences implemented in order to protect businesses and their customers.

The problem is, this is easy to say, but much harder to do. Businesses of all sizes will find it a struggle to minimise and ultimately block the myriad of cyber threats they face. Some breaches occur due to bad practice and poor security; however in other cases, organisations with even the most robust security defences may face so many threats that some slip through the cracks.

When a business is successfully breached and customer data is exposed, the consequences can be severe. Recently, a national telecommunications company was fined £400,000 by the UK regulator following a large-scale breach that compromised a vast amount of customers’ data. The attacker was able to access the personal data of 156,959 customers including their names, addresses, dates of birth, phone numbers and email addresses. Evidently, these breaches can be serious with businesses and their customers susceptible to substantial financial and reputational damage.

The Role of the Deep & Dark Web

We know cybercriminals make use of the Deep & Dark Web in order to conduct their illegal activities. Earlier this year, it was reported that gamers were put at risk of having their private information sold on the dark web following a data breach involving 2.5 million accounts. Effective cyber defences need to include monitoring and understanding of the dark web. Without it, a business is trying to defend itself whilst blindfolded and with its arms tied behind its back.

Our research shows that cybercriminals are using the dark web to buy and sell fraudulent gift cards. This type of crime has grown substantially over the last several years because it can yield significant financial rewards at a relatively low risk for criminals.

Cybercriminals’ continued interest in gift card fraud aligns with a common practice among many gift card issuers: the prioritisation of user experience and profits over security. Unlike bank-issued credit and debit cards, gift cards are not held to strict anti-fraud standards, which means that many gift cards may lack common-yet-effective security features aimed to help combat fraud. This is just one example of criminal profiteering using the Deep & Dark Web.

Attaining Effective Cyber Defence

Effective cyber defence requires barriers that deter cybercriminals alongside effective risk intelligence. In the high stakes world of commercial cybersecurity, prevention is better than cure. As previously stated, any breach or cyber compromise has the potential to result in substantial reputational and financial consequences. The recent case of the telecoms company serves as a case in point — the company’s share price plummeted after the attack and still hasn’t recovered fully.

Businesses need to prioritise cybersecurity and make sure it is a C-Suite issue that is taken seriously by all departments and employees across the entire business. The weakest link in the defence is most often what will be exploited by criminals. As such, businesses need to ensure staff are trained so they don’t create a gateway for criminals. Furthermore, cybersecurity infrastructure needs to be updated and invested in to help businesses detect and mitigate cyber threats more accurately and effectively.

The latest cyber attacks once again shine the spotlight on cybercrime. It is an issue that affects companies of all sizes and from all sectors. Even countries are affected by it. It is a truly global challenge.

Above all else, it is crucial for businesses to focus on what they can control. Having effective insight and intelligence about relevant threats, investing in technology and people, providing training for staff on cybersecurity, and prioritising defence from the most senior staff through to the most junior is essential. Failure to take action will only make your business more vulnerable to compromise. These are the lessons businesses must learn from the latest high-profile cyber-attacks.


Written by Vitali Kremez, Director of Research, Flashpoint

The post Learning the lessons from cyber attacks appeared first on IT SECURITY GURU.

from Learning the lessons from cyber attacks

Local authorities need data system refresh within 18 months

Phoenix Software today reveals that local authorities are unable to store and analyse data effectively. Independent research it commissioned alongside VMware among local authority IT leaders shows the majority believe their current data analysis capabilities (75 percent) and data storage capabilities (72 percent) will need a refresh within the next 18 months and this refresh could greatly enhance their productivity internally and help them deliver highly effective citizen-focused solutions.

IT departments within local authorities are under pressure to control data, reduce costs and transform applications for both staff and citizens. The study reveals a change in data management approach is needed. Over half (51 percent) believe they don’t currently have the correct strategy in place for managing citizen data, while nearly a third (28 percent) do not think they are completely ready for impending compliance regulations.

This is having an impact on their ability to successfully deliver information and services. The respondents believe that mobility initiatives are often being restricted by efforts to control data (40 percent) and a lack of support for the applications staff need (38 percent). An overwhelming 87 percent of respondents thought their organisation could benefit from taking steps to support access to applications remotely or in the field.

Keith Martin, Director of Public Sector at Phoenix Software, said: “Transforming IT is one of the most complex challenges the public sector faces and managing data is one of the toughest elements of that challenge. Local Authorities are sometimes faced with sprawling, siloed environments that can’t communicate, integrate or interact; the good news is that there is an understanding that change is required and this change will be key as Authorities look to use technology to meet the needs of their citizens.”

“Meeting compliance regulation and data sovereignty requirements means organisations need to understand what data they have, get rid of what they don’t need, while having the capabilities to analyse and effectively use what remains. That’s a big undertaking for any public sector IT team to handle on their own. Luckily there are experts out there who support on these projects every day and, when turned to for guidance, can help them through each step of the transition.”

Tim Hearn, Director, UK Government and Public Services, VMware, said: “From planning and managing recycling initiatives to social worker visits for citizen engagement, effective use of data will be key to the success of citizen experiences. With so much of today’s digital innovation delivered and consumed in applications, local governments need to embrace a cloud strategy that works best for them today, and future-proof investments in technology so they can meet the demands faced in years to come as well.”


The post Local authorities need data system refresh within 18 months appeared first on IT SECURITY GURU.

from Local authorities need data system refresh within 18 months

Thursday, 22 June 2017

WannaCry Ransomware Infects 55 Speed and Red-Light Cameras in Australia

Fifty-five speed and red-light cameras in the Australia’s state of Victoria were infected with the WannaCry ransomware.The incident took place last week and was brought to light by a local radio station. According to current information, the infection took place during maintenance operations, as a human operator connected an infected USB to the devices, which were apparently running on a Windows OS.


View Full Story 

ORIGINAL SOURCE: Bleeping Computer

The post WannaCry Ransomware Infects 55 Speed and Red-Light Cameras in Australia appeared first on IT SECURITY GURU.

from WannaCry Ransomware Infects 55 Speed and Red-Light Cameras in Australia

Locky Ransomware Returns, but Targets Only Windows XP & Vista

The Locky ransomware is back, spreading via a massive wave of spam emails distributed by the Necurs botnet, but the campaign appears to be a half-baked effort because the ransomware is not able to encrypt files on modern Windows OS versions, locking files only on old Windows XP & Vista machines.


View Full Story 

ORIGINAL SOURCE: Bleeping Computer

The post Locky Ransomware Returns, but Targets Only Windows XP & Vista appeared first on IT SECURITY GURU.

from Locky Ransomware Returns, but Targets Only Windows XP & Vista

Median Dwell Time for Hackers Drops to 49 Days

The dwell time for hackers inside victim networks fell by nearly half over the past year, although the time from intrusion to containment of such threats remained virtually the same, according to Trustwave.


View Full Story 

ORIGINAL SOURCE: Info Security Magazine

The post Median Dwell Time for Hackers Drops to 49 Days appeared first on IT SECURITY GURU.

from Median Dwell Time for Hackers Drops to 49 Days

AdGholas malvertisers experiment with ransomware, delivered through AstrumEK

The AdGholas malvertising threat group conducted a new campaign in May and June 2017 using the Astrum exploit kit to infect victims with Mole ransomware – an unusual change-up for these adversaries, who historically have favored banking trojans, according to researchers from Trend Micro and Proofpoint.
View Full Story 


The post AdGholas malvertisers experiment with ransomware, delivered through AstrumEK appeared first on IT SECURITY GURU.

from AdGholas malvertisers experiment with ransomware, delivered through AstrumEK

The Queen’s Speech: a technological revolution?

The Queen’s Speech outlined a number of technology-centred initiatives aimed at bolstering the economy, driving innovation, defending online safety and meeting environmental targets.


View Full Story 

ORIGINAL SOURCE: Information Age

The post The Queen’s Speech: a technological revolution? appeared first on IT SECURITY GURU.

from The Queen’s Speech: a technological revolution?

IoT the top priority in driving digital transformation says new global research report

IoT has become the leading technology for digital transformation and is the number one priority for 92 per cent of organisations, according to global research findings published today by Inmarsat (LSE:ISAT.L), the world’s leading provider of global mobile satellite communications.  The Inmarsat Research Programme study focusing on the enterprise application of the Internet of Things (IoT) revealed that machine learning (38 per cent), robotics (35 per cent), and 3D printing (31 per cent) were also key requirements for effectively delivering digital transformation for business. 

Conducted independently on behalf of Inmarsat by Vanson Bourne, The Inmarsat Research Programme report “The Future of IoT in Enterprise 2017” surveyed 500 senior respondents from across the agritech, energy production, transportation, and mining sectors, from organisations over a 1,000 employees in size.

The key findings reveal that almost all (97 per cent) respondents are experiencing, or expect to experience, significant benefits from the deployment of IoT technologies.  Improved service delivery capabilities (47 per cent), better health and safety across the organisation (46 per cent), and greater workforce productivity (45 per cent) were identified as the top three benefits to be gained from the deployment of IoT-based solutions.

However, the research also highlights security concerns, a lack of skills (particularly in the deployment of IoT) and connectivity as key challenges that need to be addressed in order to maximise IoT’s potential. Almost half (47 per cent) of respondents believe that their organisation will need to rethink their approach to data security and make heavy investments to meet IoT security requirements.  Some 45 per cent cite lack of skills as a particular challenge for their organisation in deploying IoT, while 29 per cent agree with the statement that connectivity issues threaten to derail their IoT deployments before they have even begun.

Paul Gudonis, President, Inmarsat Enterprise, commented: “The development and deployment of IoT is a new phenomenon spreading over every industry in every part of the world and this research has confirmed that IoT is the leading technology in digital transformation, taking a steady lead over other forms of innovation. IoT acts as the eyes and ears of organisations and its value comes from how the data it collects is used to improve effectiveness across an organisation. As such, it is unsurprising that so many organisations are deploying IoT to propel their digital transformation initiatives.

“However, this is not to imply that challenges are absent. The research points to clear concerns – namely, security, skills, and connectivity. The increasing interconnectivity of devices, teamed with a heightened cyber-security landscape and a short supply of relevant skills, brings an array of issues. To overcome these challenges, collaboration is key.

“Developing new technology is complex and draws on many different type of skills. Reliable network infrastructure providers, that can operate anywhere in the world, need to work closely with end-user businesses to make sure they understand their operational needs. Inmarsat is working with our network of partners globally to drive innovation through our expertise in IoT solutions and satellite connectivity,” concluded Gudonis.

The research, The Future of IoT in Enterprise 2017, is accessible as an intelligence paper and can be downloaded here:

The post IoT the top priority in driving digital transformation says new global research report appeared first on IT SECURITY GURU.

from IoT the top priority in driving digital transformation says new global research report

Ransom-Aware: Carbon Black Survey Finds 7 of 10 Consumers Would Consider Leaving a Business Hit By Ransomware

WannaCry brought the threat posed by cybercriminals into the public consciousness in a way that had not really been seen before. Temporarily crippling the NHS brought the dangers of cyber-attacks to reality and demonstrated that organisations need to be taking the problem of all forms of cybercrime seriously. Ransomware is a particularly devastating form of attack that a successful attack can have a major commercial impact on businesses.

Carbon Black recently surveyed 5,000 people to gauge the public’s perception on ransomware, its threshold for paying a ransom, and the expectations consumers have on businesses to keep their data safe.

The result showed that for 57% of those consumers surveyed WannaCry was the first exposure they’d had to the intricacies of ransomware, meaning public perception has been – at least temporarily – raised by the high profile nature of the attack. It remains to be seen whether the upturn in awareness continues or whether it reverts back to pre-WannaCry levels of awareness. Either way, with consumer awareness so high the commercial risks and downsides resulting from an attack are even greater from a business standpoint.

When compared side by side with other consumer facing industries, retailers did not score well when it came to consumer trust. When asked about the level of trust consumers have that their financial institutions, healthcare providers and retailers can keep their personal data safe, 70% of consumers said that they trust that their financial institutions and healthcare providers can keep their data safe. Only 52% of consumers trust that retailers can keep their data safe. These results show all industries have a lot of room for improvement when it comes to public confidence, but retailers especially.

The critical part for businesses though is the attitudes and reaction of consumers to successful ransomware attacks. A large majority (70%) of consumers would consider leaving a business if it were hit by a ransomware attack. Financial institutions were the most vulnerable with 72% of consumers saying that they would consider leaving them if they were hit by ransomware, for retailers it was 70%, and healthcare providers 68%.

The fact that consumer behaviour changed little between financial institutions, retailers and healthcare providers shows a significant majority of consumers will punish companies who are affected by ransomware.

Our survey showed the general public places a huge premium on their financial data over both phone data and even medical records. When asked what their most sensitive information is 42% said it was financial data, closely followed by the 41% who stated it was personal and family photos and videos. Mobile data and medical records both were only most valued by 5% of those surveyed. 

When asked if they would personally be willing to pay ransom money if their personal computer and files were encrypted by ransomware, it was close to a dead heat with 52% of respondents saying they would pay and 48% saying they would not. This is interesting given the best practice advice for both individuals and businesses is not to pay. We know that paying ransoms is only a temporary fix and it serves to embolden and reward cybercriminals.

Of the 52% who said they would pay a demand for money from a cyber attacker 12% of the cohort said they would pay $500 (approx. £390) or more, 29% said they would pay between $100 (approx. £78) and $500 to get their data back, whilst the majority (59%) said they would pay less than $100.

The onus of responsibility to keep consumer data safe is mostly on the individual organisations themselves, consumers said in our survey. While the burden is distributed among government organisations, software providers, and cybersecurity companies as well, consumers say the buck stops with the companies that are trusted with the private data. This is an important consideration for businesses.

This survey, which follows hot on the heels of the highly publicised WannaCry attack, shows that consumers are now very aware of ransomware and hold a view that should worry businesses. Clearly, consumers now more aware of ransomware have indicated that they would be very willing to leave a business that is successfully attacked. Consumers want businesses to be looking after their data – which they strongly value – and a failure to do so will have a significant commercial impact. Therefore it is imperative for businesses to make sure they have the right people, processes and technology in place to stop all forms of cyberattack including ransomware.


For the full report on ransomware that Carbon Black conducted go to –


The post Ransom-Aware: Carbon Black Survey Finds 7 of 10 Consumers Would Consider Leaving a Business Hit By Ransomware appeared first on IT SECURITY GURU.

from Ransom-Aware: Carbon Black Survey Finds 7 of 10 Consumers Would Consider Leaving a Business Hit By Ransomware

Top tips for protecting your brand against cyber attacks

MarkMonitor®, the global leader in enterprise brand protection is advising businesses to act now in order to protect themselves against cyber attacks. These attacks come in all different shapes and sizes, and as we have seen from recent global attacks, no brand can truly consider themselves safe.

What’s more, with both the rate and sophistication of cyberattacks continually increasing, brands are facing the additional risk of significant financial and reputational loss at the hands of online criminals.

Chrissie Jamieson, Senior Director Marketing Communications, MarkMonitor said: “Two of the most common cyber threats to harm brands take the form of phishing scams, which are cleverly-disguised emails designed to fool readers into unknowingly submitting personal information, and malware attacks, which plant malicious tools or software on computers that can access confidential information or block user access altogether. Although both attacks vary in their tactics, they can have equally damaging consequences.”

While it can’t be denied that the cyber threat is a growing business problem, there are simple steps that all businesses can take to protect themselves against the damage that is commonly caused through these kinds of attacks.

  • Try to prevent attacks in advance — set up an early warning system alerting you of new domain registrations that are confusingly similar or misleadingly read like your brand name and may target your brand to host malicious content — before they can impact your customers. By doing this, you’re far more likely to prevent cyber criminals from using your brand name as part of a phishing attack.
  • Detect fraudulent activity using the right intelligence — proactively monitor and analyse key intelligence sources to detect phishing and malware activity across email and other digital channels. Often, brands will work closely with trusted IT security professionals to identify and take relevant action with maximum effectiveness.
  • Mitigate and shut down phishing sites — share your phishing alerts with ISPs, browsers, email providers and security vendors, and partner with an anti-fraud vendor to block malicious sites at the Internet gateway and have them shut down quickly.
  • Monitor across multiple digital channels — although phishing scams primarily take place through email communications, malware can often be hiding across multiple platforms. It is therefore imperative that all brands cast a watchful eye over all these different channels instead of focusing on a select few to ensure truly effective mitigation.

Most businesses put these tips into practice through a ‘brand protection strategy’, which helps to mitigate the risks associated with cyber attacks of all kinds. Once the strategy is in place, it should be communicated across all areas of the business — and not just limited to the confines of the IT department. This ensures that every employee is acutely aware of the different risks the business faces and the steps that should be taken in the event of an attack to ensure protection.

The cyber attack landscape might be complex, but ultimately, the steps that brands should follow are still straightforward. Identify the areas of vulnerability, determine the potential consequences of a given attack, and then take the steps to mitigate the risk accordingly.

The post Top tips for protecting your brand against cyber attacks appeared first on IT SECURITY GURU.

from Top tips for protecting your brand against cyber attacks

Wednesday, 21 June 2017

Has Skype been HACKED? Microsoft’s messaging service crashes worldwide following claims that it has been attacked by cyber criminals

Skype has crashed for millions of people around the world, following recent updates by Microsoft. The problems began yesterday, but have continued through to today, with users in Europe appearing to be the worst affected. A group of cyber criminals has claimed that they are behind the attack, but this is yet to be confirmed by Microsoft. Microsoft, who owns Skype, has confirmed the issue on Twitter, referring to the outage as a ‘global incident.’ Skype Support tweeted: ‘There is an ongoing incident affecting the ability to connect to the application. We are investigating, stay tuned!’ The firm has said that the incident is causing users to either lose connectivity to the app, or lose their ability to send and receive messages. And according to a blog posted by Microsoft, some users are having problems with group calling, while others are experiencing delays adding users to their friend list.

View full Story 


The post Has Skype been HACKED? Microsoft’s messaging service crashes worldwide following claims that it has been attacked by cyber criminals appeared first on IT SECURITY GURU.

from Has Skype been HACKED? Microsoft’s messaging service crashes worldwide following claims that it has been attacked by cyber criminals

One kind of Android smartphone ransomware is behind a massive rise in malicious software

The number of different families of ransomware is ever-growing and has risen to almost 10 million known samples of the file-encrypting malware – while the most stealthy forms of malicious software have also boomed. That figure is up from six million ransomware samples just one year ago, representing a 59 percent increase, say figures in the latest McAfee Labs Quarterly Threats Report. One of the most significant reasons the ransomware attacks have risen so much is because cybercriminals are increasingly targeting Android smartphones. The report cites the Congur ransomware as the most significant reason for this, with figures suggesting that this single Android-targeting family accounts for almost nine in ten mobile attacks.


View Full Story 


The post One kind of Android smartphone ransomware is behind a massive rise in malicious software appeared first on IT SECURITY GURU.

from One kind of Android smartphone ransomware is behind a massive rise in malicious software

NSA Malware Used to Infect Windows PCs with Cryptocurrency Miner

Malware authors are using an NSA hacking tool to infect Windows computers with a new cryptocurrency miner. Detected under the generic name of Trojan.BtcMine.1259, this trojan was first spotted last week by Russian antivirus vendor Dr.Web. The trojan uses an NSA implant called DOUBLEPULSAR to infect computers that run unsecured SMB services. This implant (NSA term for malware) is a simple backdoor that allows attackers to execute code on the infected machines. The miscreants behind these attacks use DOUBLEPULSAR to download a generic malware loader on user’s devices. The purpose of this “malware loader” is to check the user’s PC for a minimum amount of kernel threads. If the infected computer has enough CPU resources, the generic malware loader will download the final payload, the cryptocurrency miner itself.
View Full Story 

ORIGINAL SOURCE: Bleeping Computer

The post NSA Malware Used to Infect Windows PCs with Cryptocurrency Miner appeared first on IT SECURITY GURU.

from NSA Malware Used to Infect Windows PCs with Cryptocurrency Miner

South Korean web host pays largest ransomware demand ever

Hackers appear to have pulled off a $1 million heist with ransomware in South Korea. The ransomware attacked more than 153 Linux servers that South Korean web provider Nayana hosted, locking up more than 3,400 websites on June 10. In Nayana’s first announcement a few days later, it said the hackers demanded 550 bitcoins to free up all the servers — about $1.62 million. Four days later, Nayana said it’d negotiated with the attackers and got the payment reduced to 397 bitcoins, or about $1 million. This is the single largest-known payout for a ransomware attack, and it was an attack on one company. For comparison, the WannaCry ransomware attacked 200,000 computers across 150 countries, and has only pooled $127,142 in bitcoins since it surfaced. Ransomware demands have risen rapidly over the past year, tripling in price from 2015 to 2016. But even then, the highest cost of a single ransomware attack was $28,730. Nayana agreed to pay the ransomware in three instalments, and said Saturday it’s already paid two-thirds of the $1 million demand.


View Full Story 


The post South Korean web host pays largest ransomware demand ever appeared first on IT SECURITY GURU.

from South Korean web host pays largest ransomware demand ever

Honda halts Japan car plant after WannaCry virus hits computer network

Honda Motor Co said on Wednesday it halted production at a domestic vehicle plant for a day this week after finding the WannaCry ransomware that struck globally last month in its computer network. The automaker shut production on Monday at its Sayama plant, northwest of Tokyo, which produces models including the Accord sedan, Odyssey Minivan and Step Wagon compact multipurpose vehicle and has a daily output of around 1,000 vehicles.
Honda discovered on Sunday that the virus had affected networks across Japan, North America, Europe, China and other regions, a spokeswoman said, despite efforts to secure its systems in mid-May when the virus caused widespread disruption at plants, hospitals and shops worldwide. Production at other plants operated by the automaker had not been affected, and regular operations had resumed at the Sayama plant on Tuesday, she said.


View Full Story


The post Honda halts Japan car plant after WannaCry virus hits computer network appeared first on IT SECURITY GURU.

from Honda halts Japan car plant after WannaCry virus hits computer network

Imperva Enhances the Incapsula Content Delivery Network

Imperva have proved their commitment to protecting business-critical data and applications in the cloud and on premises; and this week they have announced several enhancements to their Incapsula Content Delivery Network (CDN). Designed to improve website performance and responsiveness, while simultaneously  lowering bandwidth cost, the CDN increases the amount of content  delivered from high speed cache, consequently improving the website visitors’ experience, whilst at the same time, reducing the load on the website owners servers.

Some of the key enhancements to the CDN include;

New Cache Storage Layer

This enhancement increases the amount of cached data, delivering it directly from globally distributed high speed storage for significantly faster page loads. The storage architecture allows objects retrieved from an origin server by an Incapsula proxy server to be immediately available to all proxies in the Incapsula point of presence (PoP), eliminating latency introduced when a proxy server needs to query a peer for a cached object. Most CDN customers can expect a cache hit ration above 99%, a clear improvement.

Rapid Content Switching

The CDN includes application delivery rules which combine with the high-speed cache to enable rapid content switching in the cloud and improve control over site content. The new applicaiton delivery rules will allow organisations to forward specific requests to dedicated servers, and redirect their users to a new site which is baed on client type. URLs will be rewritten to improve SEO rankings and enhance the visitor experience.

Bot Traffic Management

Incapsula client classification automatically identifies good, bad and suspected bots. While known bad bots are automatically blocked, suspected bots can burden servers and reduce site responsiveness for legitimate human visitors. IncapRules for application delivery can now manage suspected bots with customized actions like block or redirect. Site scraper bots, for example, can be redirected to other servers or sites during peak traffic periods to recover server bandwidth and improve server response time for human visitors.

“Our clients are increasingly looking for ways to improve site performance while decreasing server load and bandwidth costs, and our new cache architecture provides an opportunity for impressive performance improvements,” said Eldad Chai, vice president of products for the Incapsula service at Imperva. “Combining our client classification technology with new application delivery rules gives our customers more control over their traffic and allows them to move more of their delivery logic to the edge where it belongs.”


The Imperva Incapsula CDN is available immediatley by following this link


The post Imperva Enhances the Incapsula Content Delivery Network appeared first on IT SECURITY GURU.

from Imperva Enhances the Incapsula Content Delivery Network

Over Half of UK Small to Medium Sized Businesses Uncertain of Brexit Impact on GDPR

A year after the UK voted to leave the European Union, new research from Webroot, the market leader in endpoint security, network security, and threat intelligence, has revealed that UK small- to medium-sized businesses (SMBs) misunderstand the impact of Brexit on compliance to the General Data Protection Regulation (GDPR).

Webroot found that UK SMBs were unsure if they would have to adhere to GDPR regulation after Brexit, despite the need to be compliant if data of European citizens is held by the organisation.  Further questioning on GDPR found that SMBs disagree with the primary thrust of the regulation, which is to help ensure the security of personal data across the EU, and lack confidence that they can meet the regulation requirements.

Scheduled to go into effect in May 2018, GDPR is intended to strengthen and unify data protection for all individuals within the EU, and applies to any company doing business within the EU. Noncompliance penalties are steep, with fines up to €20 million or 4 percent of global annual turnover. A complete list of GDPR requirements can be found here.


Research Highlights:

  • 46% of businesses subject to compliance to GDPR were uncertain if they would have to remain compliant to GDPR after Brexit, and 6 percent were certain that they would not
  • One-fifth (20 percent) of the companies surveyed subject to GDPR haven’t started the compliance process.
  • 71 percent of these businesses haven’t budgeted for the extra resources required to become compliant.
  • Nearly three-quarters (73 percent) of those businesses that have to become compliant didn’t think customer data will be any safer due to the legislation.
  • Despite 81 percent of those that need to become compliant having heard of the regulation, a third (34 percent) were unable to identify basic regulation details correctly.
  • Of this segment, 26 percent thought that compliance was not mandatory, while 8 percent thought the regulation only applied to large businesses.
  • Despite needing to become compliant to continue operations as normal, nearly half of UK SMBs (49 percent) are not confident they can meet the stringent requirements for compliance.
  • In addition to their confusion about GDPR compliance, 51 percent of all SMB survey respondents believe their business is not at risk of cyberattack, indicating a dangerous misperception about the threat landscape and the need for appropriate security measures.


Key Quote:

Adam Nash, Business Sales Leader for EMEA, Webroot

“GDPR compliance should be a crucial part of every organization’s security strategy. In particular, it’s clear that SMBs urgently need to focus their attention on both GDPR compliance and their wider cybersecurity posture. We recommend that all SMBs adopt a multi-layered security approach to meet GDPR; one that includes network security, antivirus protection, and thorough data protection measures.”


Tips for Businesses:

  • Act now. This is the biggest change to data protection laws since the current EU Data Protection Directive was passed in 1995. Getting ready for the GDPR will require time and resources to implement new processes. It’s crucial to get started now so your business is ready.
  • Know your data. Find out what data and personal data your organisation has, where it’s stored, and in what systems. Planned audits and allocated resources for this work should be scheduled in sooner rather than later.
  • Make sure that any data you do not need is deleted securely. There are legal requirements to maintain certain types of data. But when data retention is not required, disposing of it helps reduce risk. This needs to be done professionally with specialist equipment or software.
  • With any process change, effective communication is essential. Proper internal communications to all employees and external communications to suppliers will help make them aware of changes and give them time to amend their own processes in good time.
  • Consider a privacy impact assessment. When auditing the business’s processing of personal data in relation GDPR, decide if a privacy impact assessment is required. Consider whether invasive means of collecting personal data are used and if the data is processed fairly and lawfully. Individuals must be informed about the purpose of use and how the business processes personal data in a transparent fashion.


Research Methodology

This research was conducted by Censuswide on behalf of Webroot. Respondents were 501 business decision makers at UK-based small- and medium-sized businesses. Companies needing to comply with the GDPR regulation made up 65 percent (330) of the 501 SMBs surveyed by Webroot. The full report can be found here.


About Webroot

Webroot delivers next-generation endpoint security and network security and threat intelligence services to protect businesses and individuals around the globe. Our smarter approach harnesses the power of cloud-based collective threat intelligence derived from millions of real-world devices to stop threats in real time and help secure the connected world. Our award-winning SecureAnywhere® endpoint solutions, BrightCloud® Threat Intelligence Services, and FlowScape solution protect millions of devices across businesses, home users, and the Internet of Things. Webroot is trusted and integrated by market-leading companies, including Cisco, F5 Networks, Aruba, Palo Alto Networks, A10 Networks, and more.  Headquartered in Colorado, Webroot operates globally across North America, Europe, and Asia. Discover Smarter Cybersecurity solutions at


The post Over Half of UK Small to Medium Sized Businesses Uncertain of Brexit Impact on GDPR appeared first on IT SECURITY GURU.

from Over Half of UK Small to Medium Sized Businesses Uncertain of Brexit Impact on GDPR

Thwarting Attacks: Back to Basics Best Practices

Most of us know what ransomware is: that thing that encrypts files, holds them for ransom, and (hopefully) decrypts them once the ransom is paid. If ransoms aren’t paid, however, files may be lost. It’s scary when the life of your organisation is in the hands of someone else, especially when you don’t have a recovery plan. But, that’s part of the problem. By discussing ransomware (and malware) attacks before they happen, organisations will be more prepared if or when an incident occurs.

It’s time to review several mitigation strategies that will not only help protect the business, they will also help combat threats posed by other malware families.

To start, let’s take a look at the most recent series of ransomware attacks: WannaCry. This strain of ransomware made headlines for leveraging a leaked NSA-grade exploit to infiltrate networks and hold them for ransom. The vulnerability targeted by WannaCry, known as MS17-010, had been patched and made universally available as part of a routine Microsoft software update several weeks before the ransomware was released, giving organisations ample time to implement a security patch.

Despite the fact that MS17-010 was rated as critical, in the wild, and being exploited — which is essentially the highest level of “that needs to be patched yesterday” — many organisations didn’t implement it in time. Thankfully for some organisations, basic-yet-effective security precautions were taken years before WannaCry’s conception.

How, you might ask?

The worms of yesteryear provide some insight. In 2004, Sasser wreaked havoc using MS04-011, an exploit in the LSASS process, via remote code execution. The worm spread like a wildfire via port 445 (sound familiar?) and crippled networks worldwide. Just one year prior, MS-Blast behaved similarly, worming into networks and spreading via phishing attachments and exploits. Systems and organisations were knocked offline due to the traffic, causing global damages. We should have learned our lessons then, but unfortunately, history repeats itself.

In 2008, computer worm Conficker hit millions of computers using MS08-067, a remote exploit targeting Windows systems and how they handle certain requests over port 445. (Again, sound familiar?) This attack was enough of a wake-up call for many organisations and ISPs to start blocking unnecessary inbound ports.

Learning from our — and others’ — oversights is exactly why it’s so important to conduct an after-action analysis following any cyber-attack or compromise. By looking back at WannaCry, we can see that a simple firewall block for inbound port 445 would have prevented most of the attacks.

One of the most common questions organisations are seeking to address in WannaCry’s aftermath is this: how does malware spread? While WannaCry used port 445 to propagate through networks from the internet, malware often spreads via phishing emails, so there’s a chance it could have been packaged inside of a zip file or remotely pulled down via a dropper of some sort. Attackers have also been known to put Javascript files into zip archives in order to bypass some security measures.

Microsoft Word documents containing macros are another type of dropper common among attackers. While some organisations may allow macros, doing so creates yet another “low-hanging-fruit” situation that many attackers have long been known to target.

Ultimately, these types of after-action exercises can enable organisations to maintain a defence-in-depth approach to security – even when other points may fail.



Written by Ronnie Tokazowski, Senior Malware Analyst, Flashpoint

The post Thwarting Attacks: Back to Basics Best Practices appeared first on IT SECURITY GURU.

from Thwarting Attacks: Back to Basics Best Practices

Tuesday, 20 June 2017

Futurice hires former easyJet CIO Trevor Didcock as first UK director

Digital consultancy Futurice has appointed former easyJet CIO Trevor Didcock as its first UK non-executive director. Didcock, who was named number one in CIO UK’s CIO 100 and who has also held the top CIO position at the AA, HomeServe and RAC, will play a key role in building the UK business.

Futurice works with multinationals on digital strategy and innovation culture to help them become future capable. The company offers a complete end-to-end service from board level consultancy through to co-creating and building digital solutions. Clients include BMW, Nordea and Wärtsilä.  Recent projects include working on Nordea Open Banking, a pioneering initiative inviting software developers to test their apps and companies to create new business opportunities using Nordea’s APIs (application programming interfaces) and Samsung Kick, an award winning global football app which uses live data allowing fans to compare players and analyse matches in real time.

Founded in Helsinki, Finland with offices in Germany and Sweden, Futurice’s London office boasts 20 staff and a local client list including Ford, Tesco, Samsung and Moneycorp.

Tom McQueen, MD of Futurice UK said: “We are very happy to have Trevor join our board. Trevor brings extensive experience of delivering successful large-scale digital transformation at organisations such as easyJet and the AA. Trevor is a real advocate of Futurice’s culture and is already helping us on our journey to enable UK enterprises to build future capability.”

Futurice CEO Tuomas Syrjänen added: “Trevor’s decision to join the Futurice board is a huge endorsement of our human-centred approach to business change. His experience as the CIO of major public listed companies means he brings invaluable insight into the challenges faced by big corporates as they seek to use emerging technologies to improve operational efficiencies and deliver the best possible customer experience.”

Commenting on his decision to join the Futurice board, Trevor Didcock said:

“I met Futurice on a project we both worked on involving product development and agile engineering in the airline sector. I was enormously impressed by the quality of their consultants and practices, and by the company’s people-centred workplace culture with its focus on trust and transparency.

“Businesses seeking to become digitally driven face a complex journey when it comes to re-engineering their business model, processes, and culture. Futurice has the breadth and expertise to empower and enable senior management and innovation teams so that they can survive and thrive in a constantly evolving digital landscape.

“I’m looking forward to working with the board on a UK and international level as we guide the business to the next stage of growth.”

As CIO of easyJet, Trevor led the airline’s “Turn Europe Orange” initiative which created new products and channels and introduced allocated seating as part of a programme of renewal across the airline, helping to quadruple profits. He was also responsible for developing a long-term IT strategy for easyJet aimed at future-proofing its technology offering.

During his earlier CIO career, Trevor oversaw extensive digital transformation at HomeServe, the AA and the RAC, in each case being part of an executive board that averaged double digit percentage annual profit growth. Trevor has featured regularly in Top CIO league tables, including the Silicon 50, the CIO 100 and UK Tech 50. He took the number one slot in CIO UK’s  CIO 100  in 2012.

In addition to Futurice, Trevor fulfils non-executive, advisory and coaching roles for clients including the Civil Aviation Authority, Affinity Water, Leading Resolutions and FLYdocs.

The post Futurice hires former easyJet CIO Trevor Didcock as first UK director appeared first on IT SECURITY GURU.

from Futurice hires former easyJet CIO Trevor Didcock as first UK director

EU Warns of ‘United Response’ to Cyber-Attacks

The European Union warned Monday that a cyber-attack on any one member state could merit a response by all members of the bloc, amid growing fears of hackers holding governments to ransom.

View Full Story 



The post EU Warns of ‘United Response’ to Cyber-Attacks appeared first on IT SECURITY GURU.

from EU Warns of ‘United Response’ to Cyber-Attacks

CSI sees more than 1 million malicious attempts daily to get into its computer system

Every day, the College of Southern Idaho sees an average of 800,000 to 1.1 million malicious attempts to get into its computer network perimeter.


View Full Story 


The post CSI sees more than 1 million malicious attempts daily to get into its computer system appeared first on IT SECURITY GURU.

from CSI sees more than 1 million malicious attempts daily to get into its computer system

Privacy International Sends Brexit Teams Anti-Surveillance Package

Rights group Privacy International (PI) has sent Brexit negotiators advice and technology designed to mitigate the risk of surveillance by intelligence agencies on the opposite side.


View Full Story 

ORIGINAL SOURCE: Info Security Magazine

The post Privacy International Sends Brexit Teams Anti-Surveillance Package appeared first on IT SECURITY GURU.

from Privacy International Sends Brexit Teams Anti-Surveillance Package

Amount of malware targeting smart devices more than doubled in 2017

The total number of malware samples targeting smart devices has reached more than 7,000, with over half of these emerging in 2017, according Kaspersky Lab’s researchers. With more than six billion smart devices being used across the globe, people are increasingly being put at risk from malware targeting their connected lives.


View Full Story 

ORIGINAL SOURCE: Information Age

The post Amount of malware targeting smart devices more than doubled in 2017 appeared first on IT SECURITY GURU.

from Amount of malware targeting smart devices more than doubled in 2017

South Korean Web Hosting Provider Pays $1 Million in Ransomware Demand

Nayana, a web hosting provider based in South Korea, announced it is in the process of paying a three-tier ransom demand of nearly $1 million worth of Bitcoin, following a ransomware infection that encrypted data on customer’ servers.


View Full Story 

ORIGINAL SOURCE: Bleeping Computer

The post South Korean Web Hosting Provider Pays $1 Million in Ransomware Demand appeared first on IT SECURITY GURU.

from South Korean Web Hosting Provider Pays $1 Million in Ransomware Demand

Amount of malware targeting smart devices more than doubled in 2017

The total number of malware samples targeting smart devices has reached more than 7,000, with over half of these emerging in 2017, according Kaspersky Lab’s researchers. With more than six billion smart devices being used across the globe, people are increasingly being put at risk from malware targeting their connected lives.

Smart devices – such as smartwatches, smart TVs, routers, and cameras – are connecting to each other and building the growing Internet of Things (IoT) phenomenon, a network of devices equipped with embedded technology that allows them to interact with each other or the external environment. Because of the large number and variety of devices, the IoT has become an attractive target for cybercriminals. By successfully hacking IoT devices criminals are able to spy on people, blackmail them, and even discreetly make them their partners in crime. What’s worse, botnets such as Mirai and Hajime have indicated that the threat is on the rise.

Kaspersky Lab’s experts have conducted research into IoT malware to examine how serious the risk is. They have set up honeypots – artificial networks, which simulate the networks of different IoT devices (routers, connected cameras etc.) to observe malware attempting to attack their virtual devices. They did not have to wait long – attacks using known and previously unknown malicious samples started almost immediately after the honeypot was set up.

Most of the attacks registered by the company’s experts targeted digital video recorders or IP cameras (63 per cent), and 20 per cent of hits were against network devices, including routers, and DSL modems, etc. About 1 per cent of targets were people’s most common devices, like printers and smart home devices.

China (17 per cent), Vietnam (15 per cent), and Russia (8 per cent) emerged as the top-3 countries with attacked IoT devices, each presenting a large number of the infected machines. Brazil, Turkey and Taiwan – all at 7 per cent, follow.

To date during this ongoing experiment, researchers have been able to collect information about more than seven thousand malware samples designed specifically to hack connected devices.

According to experts, the reason behind the rise is simple: the IoT is fragile and exposed in the face of cybercriminals. The vast majority of smart devices are running operating systems based on Linux, making attacks on them easier because criminals can write generic malicious code that targets a huge number of devices simultaneously.

What makes the issue dangerous is its potential reach. According to industry experts, there are already more than six billion smart devices across the globe. Most of them do not even have a security solution and their manufacturers usually do not produce any security updates or new firmware. This means there are millions and millions of potentially vulnerable devices – or maybe even devices that have been already compromised.


The issue of smart device security is serious, and one that we should all be aware of. Last year showed that it is not just possible to target connected devices, but that this is a very real threat. We have seen a huge increase in IoT malware samples, but the potential is even greater. Apparently, high competition in the market of DDoS attacks is pushing attackers to search for new resources that will help them make increasingly powerful attacks. Botnet Mirai demonstrated that smart devices can give cybercriminals what they need, with the number of devices they can target now reaching billions. Various analysts have predicted that by 2020, this could grow to 20-50 billion devices,” said Vladimir Kuskov, security expert, Kaspersky Lab.


In order to protect your devices, Kaspersky Lab security experts advise the following:

  1. If you don’t need to, do not access your device from an external network
  2. Disable all network services you don’t need to use the device
  3. If there is a standard or universal password that cannot be changed, or the preset account cannot be deactivated, disable the network services in which they are used, or close access to external networks
  4. Before using the device, change the default password, and set a new one
  5. Regularly update the device’s firmware to the latest version – if possible.

To learn more about IoT attacks, please read the blog post available at

The post Amount of malware targeting smart devices more than doubled in 2017 appeared first on IT SECURITY GURU.

from Amount of malware targeting smart devices more than doubled in 2017

FICO Survey: UK Firms May Be Overconfident About Cybersecurity Protection

  • 56 percent of UK firms surveyed said they are better prepared for data breaches than their competitors.
  • Telecommunications respondents were least realistic, with 84 percent rating their firms above average, and 42 percent thinking they are top performers.
  • Ovum conducted telephone surveys for FICO of security executives at 350 companies in the UK and other countries.

Senior executives at UK firms may be overconfident about their cybersecurity protection, according to a new survey conducted by research and consultancy firm Ovum for Silicon Valley analytics firm FICO. 56 percent of executives from UK firms said they were better prepared than their competitors, and about half of these executives said their firm was a top performer. UK respondents were more likely to rate their firms as above average than respondents from other countries, including the US.

More information:

Telecommunications providers were the most confident of all. A full 84 percent of respondents said they were better prepared than their competitors, with 42 percent calling their firm a top performer. Financial services institutions were more realistic, with just 46 percent of respondents believing their firm is above average, and only 17 percent saying it is a top performer.

In addition, only 33% of UK respondents said their firms use an outside source to benchmark their security.

“It is reasonable to assume that a lack of objective measurement is helping to give firms an optimistic view of their cybersecurity situation,” said Steve Hadaway, FICO general manager for Europe, the Middle East and Africa. “For example, we also found that only 41 percent of UK firms surveyed have a tested data breach response plan, compared to 52 percent in the US. There’s nothing wrong with thinking you’re doing better than the next guy, unless it leads to complacency and a lack of investment, and our survey clearly showed that more investment is needed.”

Ovum conducted the survey for FICO through telephone interviews with 350 CXOs and senior security officers in the US, Canada, the UK and the Nordics in March and April 2017. Respondents represented firms in financial services, telecommunications, retail, ecommerce and media service providers. FICO’s solutions for cybersecurity include the FICO® Enterprise Security Score, which firms use to benchmark their own cybersecurity posture as well as that of vendors and partners.

The post FICO Survey: UK Firms May Be Overconfident About Cybersecurity Protection appeared first on IT SECURITY GURU.

from FICO Survey: UK Firms May Be Overconfident About Cybersecurity Protection

McAfee Labs report reviews 30-year evolution of evasion techniques

McAfee Inc. today released its McAfee Labs Threats Report: June 2017, which examines the origins and inner workings of the Fareit password stealer, provides a review of the 30-year history of evasion techniques used by malware authors, explains the nature of steganography as an evasion technique, assesses reported attacks across industries, and reveals growth trends in malware, ransomware, mobile malware, and other threats in Q1 2017.

“There are hundreds, if not thousands, of anti-security, anti-sandbox, and anti-analyst evasion techniques employed by hackers and malware authors, and many of them can be purchased off the shelf from the Dark Web,” said Vincent Weafer, Vice President of McAfee Labs. “This quarter’s report reminds us that evasion has evolved from trying to hide simple threats executing on a single box, to the hiding of complex threats targeting enterprise environments over an extended period of time, to entirely new paradigms, such as evasion techniques designed for machine learning based protection.”


30 Years of Malware Evasion Techniques

Malware developers began experimenting with ways to evade security products in the 1980s, when a piece of malware defended itself by partially encrypting its own code, making the content unreadable by security analysts. The term evasion technique groups all the methods used by malware to avoid detection, analysis, and understanding. McAfee Labs classifies evasion techniques into three broad categories:

  • Anti-security techniques: Used to avoid detection by antimalware engines, firewalls, application containment, or other tools that protect the environment.
  • Anti-sandbox techniques: Used to detect automatic analysis and avoid engines that report on the behavior of malware. Detecting registry keys, files, or processes related to virtual environments lets malware know if it is running in a sandbox.
  • Anti-analyst techniques: Used to detect and fool malware analysts, for example, by spotting monitoring tools such as Process Explorer or Wireshark, as well as some process-monitoring tricks, packers, or obfuscation to avoid reverse engineering.

The June 2017 McAfee Labs report examines some of the most powerful evasion techniques, the robust dark market for off-the-shelf evasion technology, how several contemporary malware families leverage evasion techniques, and what to expect in the future, including machine learning evasion and hardware-based evasion.


Hiding in Plain Sight: The Concealed Threat of Steganography

Steganography is the art and science of hiding secret messages. In the digital world, it is the practice of concealing messages in images, audio tracks, video clips, or text files. Often, digital steganography is used by malware authors to avoid detection by security systems. The first known use of steganography in a cyberattack was in the Duqu malware in 2011. When using a digital image, secret information is inserted by an embedding algorithm, the image is transmitted to the target system, and there the secret information is extracted for use by malware. The modified image is often difficult to detect by the human eye or by security technology.

McAfee Labs sees network steganography as the newest form of this discipline, as unused fields within the TCP/IP protocol headers are used to hide data. This method is on the rise because attackers can send an unlimited amount of information through the network using this technique.


Fareit: The Most Infamous Password Stealer

Fareit first appeared in 2011 and has since evolved in a variety of ways, including new attack vectors, enhanced architecture and inner workings, and new ways to evade detection. There is a growing consensus that Fareit, now the most infamous password-stealing malware, was likely used in the high-profile Democratic National Committee breach before the 2016 U.S. Presidential election.

Fareit spreads through mechanisms such as phishing emails, DNS poisoning, and exploit kits. A victim could receive a malicious spam email containing a Word document, JavaScript, or archive file as an attachment. Once the user opens the attachment, Fareit infects the system, sends stolen credentials to its control server, and then downloads additional malware based on its current campaign.

The 2016 DNC breach was attributed to a malware campaign known as Grizzly Steppe. McAfee Labs identified Fareit hashes in the indicators of compromise list published in the U.S. government’s Grizzly Steppe report. The Fareit strain is believed to be specific to the DNC attack and dropped by malicious Word documents spread through phishing email campaigns.

The malware references multiple control server addresses that are not commonly observed in Fareit samples found in the wild. It was likely used in conjunction with other techniques in the DNC attack to steal email, FTP, and other important credentials. McAfee Labs suspects that Fareit also downloaded advanced threats such as Onion Duke and Vawtrak onto the victims’ systems to carry out further attacks.

“With people, businesses, and governments increasingly dependent on systems and devices that are protected only by passwords, these credentials are weak or easily stolen, creating an attractive target for cybercriminals,” Weafer continued. “McAfee Labs believes attacks using password-stealing tactics are likely to continue to increase in number until we transition to two-factor authentication for system access. The Grizzly Steppe campaign provides a preview of new and future tactics.”


Q1 2017 Threat Activity

In the first quarter of 2017, the McAfee Labs Global Threat Intelligence network registered notable trends in cyber threat growth and cyberattack incidents across industries:

  • New threats. In Q1 2017, there were 244 new threats every minute, or more than four every second.
  • Security incidents. McAfee Labs counted 301 publicly disclosed security incidents in Q1, an increase of 53% over the Q4 2016 count. The health, public, and education sectors comprised more than 50% of the total.
  • New malware samples rebounded in Q1 to 32 million. The total number of malware samples increased 22% in the past four quarters to 670 million known samples. New malware counts rebounded to the quarterly average seen during the past four years.
  • Mobile malware. Mobile malware reports from Asia doubled in Q1, contributing to a 57% increase in global infection rates. Total mobile malware grew 79% in the past four quarters to 16.7 million samples. The largest contributor to this growth was Android/SMSreg, a potentially unwanted program detection from India.
  • Mac OS malware. During the past three quarters, new Mac OS malware has been boosted by a glut of adware. Although still small compared with Windows threats, the total number of Mac OS malware samples grew 53% in Q1.
  • New ransomware samples rebounded in Q1 primarily due to Congur ransomware attacks on Android OS devices. The number of total ransomware samples grew 59% in the past four quarters to 9.6 million known samples.
  • Spam botnets. In April, the mastermind behind the Kelihos botnet was arrested in Spain. Kelihos was responsible over many years for millions of spam messages that carried banking malware and ransomware. The US Department of Justice acknowledged international cooperation between United States and foreign authorities, the Shadow Server Foundation, and industry vendors.

For more information on these trends, or more threats landscape statistics for Q1 2017, visit for the full report.


The post McAfee Labs report reviews 30-year evolution of evasion techniques appeared first on IT SECURITY GURU.

from McAfee Labs report reviews 30-year evolution of evasion techniques

Monday, 19 June 2017

The Industrial Control Cyber Security Was Addressed at the US Cyber Senate Summit

Security experts discussed the latest threat to industry through cyber attacks

Cyber security professionals that are leading in the field of security from across the country gathered in the 4th Industrial Control Cyber Security USA summit. This was held to discuss how the USA can help protect itself from threats to cyber security in the wild.

This was specially discussed because of the latest discovery in crash override malware which is an advanced new piece of malware that is designed especially to take down industrial control systems. It was the malware that left Kiev completely disconnected and in dark in 2016.

Read more details

The post The Industrial Control Cyber Security Was Addressed at the US Cyber Senate Summit appeared first on Cyber Security Portal.

from Annadiane Annadiane – Cyber Security Portal

Facebook to use AI to tackle Online Extremism

In a recent blog post, Facebook has announced their intention to begin using AI to find and remove terrorist content, before it reaches users. This comes after the social media giant has been widely criticized around the World, for appearing to do very little to prevent and remove said content, and not doing enough to tackle online extremism.

In the blog post, it is made clear by Facebook, that this technological tool is only one part in what needs to be a multi partner effort to tackle online extremism- alongside the introduction of AI, Facebook will be working alongside other industry experts, Governments around the World, and calling upon their own user community to report incidents which break the community standards, and to remain vigilant whilst they are online.

Commenting on this, Homer Strong- Director of Data Science at Cylance says ‘overall this direction is promising. A major issue with using humans to provide ground truth for AI is that humans are not perfect either. There needs to be processes for evaluating human judgement in parallel to machine judgement. Otherwise the AI can end up learning the subjectivities of individual reviewers, distracting the AI from learning properly.’ He adds, ‘Both the confidence and the decision of sufficiently sophisticated AI can be bypassed using adversarial learning techniques. A terrorist who is blocked by Facebook is more likely to switch to some other platform rather than bypass the AI, but Facebook can never completely remove terrorist content.’

Read the Full Blog Here 

The post Facebook to use AI to tackle Online Extremism appeared first on IT SECURITY GURU.

from Facebook to use AI to tackle Online Extremism

Is your E-Cig a Security Risk?

News broke last week that E-cigarettes can be used to hack computers!

Many E-cigarettes are chargeable via a USB, either by directly plugging the device into the USB port, or through the use of a charging cable- that seems innocent enough, right? Security researchers, however, have now warned that this simple act can actually compromise your computer- with just a few very simple tweaks to the vaporizer.

Security researcher, Ross Bevington showcased the concept at Bsides London, revealing how the device could be used to fool the computer into thinking it was actually a keyboard, or by interfering with its network traffic.

As Mark James, Security Specialist at ESET explains; ‘hackers are always on the lookout for the next big opportunity to dupe the poor unsuspecting public- E-cigarettes have become extremely popular with a high number of people using them. As USB dongles are used to charge the devices, its relatively easy to include extra hardware into the charger to enable communication with the endpoint device. From there it could compromise your machine or download malware directly to your desktop; in most cases, when you are charging your device there’s a good chance you will be using your laptop or desktop i.e. logged in and authenticated, and so the malware has a much higher chance of being successful in this state.’

Adam Brown, manager of Security Solutions at Synopsys also adds: ‘”Last year the University of Illinois and University of Michigan published research that showed if a hacker deliberately dropped a USB stick (which could have malware on it) there was a 50% chance that someone would pick it up and plug it into a computer. As Bevington’s recent research shows a vape pipe could easily be modified to work as any kind of peripheral device when plugged in, and so could be used in a similar way to either deliver a payload or perform some other malicious activity while plugged in. Potentially a vape pipe given away would very likely end up plugged in to a computer for charging and so would be an effective device for a targeted attack on a known vaper.’

The good news for vapers everywhere however, is that there are ways to prevent yourself from becoming a victim to this kind of attack, as Mark James points out: ‘if you want to stay safe from this type of attack, consider using a power adapter to charge your devices, or if you’re going to use your computer, then consider being logged out. Try, where possible, to be in the latest operating system- fully patched and up to date. Also make sure you have a good updated multi layered internet security product to catch any infection that may be attempted- be especially wary of buying third party charging dongles if you lose or break your supplied one.’


The post Is your E-Cig a Security Risk? appeared first on IT SECURITY GURU.

from Is your E-Cig a Security Risk?

KASPERAGENT malware campaign resurfaces in the run up to May Palestinian Authority elections

ThreatConnect has identified a KASPERAGENT malware campaign leveraging decoy Palestinian Authority documents. The samples date from April – May 2017, coinciding with the run up to the May 2017 Palestinian Authority elections. Although we do not know who is behind the campaign, the decoy documents’ content focuses on timely political issues in Gaza and the IP address hosting the campaign’s command and control node hosts several other domains with Gaza registrants.

In this blog post we will detail our analysis of the malware and associated indicators, look closely at the decoy files, and leverage available information to make an educated guess on the possible intended target. Associated indicators and screenshots of the decoy documents are all available here in the ThreatConnect platform.


Background on KASPERAGENT

KASPERAGENT is Microsoft Windows malware used in efforts targeting users in the United States, Israel, Palestinian Territories, and Egypt since July 2015. The malware was discovered by Palo Alto Networks Unit 42 and ClearSky Cyber Security, and publicised in April 2017 in the Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA blog. It is called KASPERAGENT based on PDB strings identified in the malware such as “c:\Users\USA\Documents\Visual Studio 2008\Projects\New folder (2)\kasper\Release\kasper.pdb.”

The threat actors used shortened URLs in spear phishing messages and fake news websites to direct targets to download KASPERAGENT. Upon execution, KASPERAGENT drops the payload and a decoy document that displays Arabic names and ID numbers. The malware establishes persistence and sends HTTP requests to the command and control domain mailsinfo[.]net. Of note, the callbacks were to PHP scripts that included /dad5/ in the URLs. Most samples of the malware reportedly function as a basic reconnaissance tool and downloader. However, some of the recently identified files display “extended-capability” including the functionality to steal passwords, take screenshots, log keystrokes, and steal files. These “extended-capability” samples called out to an additional command and control domain, stikerscloud[.]com. Additionally, early variants of KASPERAGENT used “Chrome” as the user agent, while more recent samples use “OPAERA” – a possible misspelling of the “Opera” – browser. The indicators associated with the blog article are available in the ThreatConnect Technical Blogs and Reports source here.

The samples we identified leverage the same user agent string “OPAERA”, included the kasper PDB string reported by Unit 42, and used similar POST and GET requests. The command and control domains were different, and these samples used unique decoy documents to target their victims.


Identifying another KASPERAGENT campaign

We didn’t start out looking for KASPERAGENT, but a file hit on one of our YARA rules for an executable designed to display a fake XLS icon – one way adversaries attempt to trick targets into thinking a malicious file is innocuous. The first malicious sample we identified (6843AE9EAC03F69DF301D024BFDEFC88) had the file name “testproj.exe” and was identified within an archive file (4FE7561F63A71CA73C26CB95B28EAEE8) with the name “التفاصيل الكاملة لأغتيال فقهاء.r24”. This translates to “The Complete Details of Fuqaha’s Assassination”, a reference to Hamas military leader Mazen Fuqaha who was assassinated on March 24, 2017.

We detonated the file in VxStream’s automated malware analysis capability and found testproj.exe dropped a benign Microsoft Word document that pulls a jpg file from treestower[.]com. observed this site in association with another sample that called out to mailsinfo[.]net – a host identified in the Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA blog. That was our first hint that we were looking at KASPERAGENT.

The jpg pulled from treestower[.]com displays a graphic picture of a dead man, which also appeared on a Palestinian news website discussing the death of Hamas military leader Mazen Fuqaha. A separate malicious executable – 2DE25306A58D8A5B6CBE8D5E2FC5F3C5 (vlc.exe) – runs when the photograph is displayed, using the YouTube icon and calling out to several URLs on windowsnewupdates[.]com. This host was registered in late March and appears to be unique to this campaign.

With our interest piqued, we pivoted on the import hashes (also known as an imphash), which captures the import table of a given file. Shared import hashes across multiple files would likely identify files that are part of the same malware family. We found nine additional samples sharing the imphash values for the two executables, C66F88D2D76D79210D568D7AD7896B45 and DCF3AA484253068D8833C7C5B019B07.

Analysis of those files uncovered two more imphashes, 0B4E44256788783634A2B1DADF4F9784 and E44F0BD2ADFB9CBCABCAD314D27ACCFC, for a total of 20 malicious files. These additional samples behaved similarly to the initial files; testproj.exe dropped benign decoy files and started malicious executables. The malicious executables all called out to the same URLs on windowsnewupdates[.]com.

These malware samples leverage the user agent string “OPAERA,” the same one identified in the Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA blog. Although the command and control domain was different from those in the report, the POST and GET requests were similar and included /dad5/ in the URL string. In addition, the malware samples included the kasper PDB string reported by Unit 42, prompting us to conclude that we were likely looking at new variants of KASPERAGENT.


The Decoy Files

Several of the decoy files appeared to be official documents associated with the Palestinian Authority – the body that governs the Palestinian Territories in the Middle East. We do not know whether the files are legitimate Palestinian Authority documents, but they are designed to look official. Additionally, most of the decoy files are publicly available on news websites or social media.

The first document – dated April 10, 2017 – is marked “Very Secret” and addressed to Yahya Al-Sinwar, who Hamas elected as its leader in Gaza in February 2017. Like the photo displayed in the first decoy file we found, this document references the death of Mazen Fuqaha. The Arabic-language text and English translation of the document are available in ThreatConnect here.

The second legible file, dated April 23, has the same letterhead and also is addressed to Yahya al-Sinwar. This file discusses the supposed announcement banning the rival Fatah political party, which controls the West Bank, from Gaza. It mentions closing the Fatah headquarters and houses that were identified as meeting places as well as the arrest of some members of the party.


Looking at the Infrastructure

We don’t know for sure who is responsible for this campaign, but digging into the passive DNS results led us to some breadcrumbs. Starting with 195.154.110[.]237, the IP address which is hosting the command and control domain windowsnewupdates[.]com, we found that the host is on a dedicated server. Using our Farsight DNSDB integration, we identified other domains currently and previously hosted on the same IP.

Two of the four domains that have been hosted at this IP since 2016 — upfile2box[.]com and 7aga[.]net — were registered by a freelance web developer in Gaza, Palestine. This IP has been used to host a small number of domains, some of which were registered by the same actor, suggesting the IP is dedicated for a single individual or group’s use. While not conclusive, it is intriguing that the same IP was observed hosting a domain ostensibly registered in Gaza AND the command and control domain associated with a series of targeted attacks leveraging Palestinian Authority-themed decoy documents referencing Gaza.

Targeting Focus?

Just like we can’t make a definitive determination as to who conducted this campaign, we do not know for sure who it was intended to target. What we do know is that several of the malicious files were submitted to a public malware analysis site from the Palestinian Territories. This tells us that it is possible either the threat actors or at least one of the targets is located in that area. Additionally, as previously mentioned, the decoy document subject matter would likely be of interest to a few different potential targets in the Palestinian Territories. Potential targets such as Hamas who controls the Gaza strip and counts Mazen Fuqaha and Yahya al-Sinwar as members, Israel which is accused of involvement in the assassination of Mazen Fuqaha, and the Fatah party of which the Prime Minister and President of the Palestinian Authority are members.

The campaign corresponds with a period of heightened tension in Gaza. Hamas, who has historically maintained control over the strip, elected Yahya al-Sinwar – a hardliner from its military wing – as its leader in February. A Humanitarian Bulletin published by the United Nations’ Office for the Coordination of Humanitarian Affairs indicates in March 2017 (just before the first malware samples associated with this campaign were identified in early April) Hamas created “a parallel institution to run local ministries in Gaza,” further straining the relationship between Hamas and the Palestinian Authority who governs the West Bank. After this announcement, the Palestinian Authority cut salaries for its employees in Gaza by 30 percent and informed Israel that it would no longer pay for electricity provided to Gaza causing blackouts throughout the area and escalating tensions between the rival groups. Then, in early May (two days after the last malware sample was submitted) the Palestinian Authority held local elections in the West Bank which were reportedly seen as a test for the Fatah party. Elections were not held in Gaza.

All of that is to say, the decoy documents leveraged in this campaign would likely be relevant and of interest to a variety of targets in Israel and Palestine, consistent with previously identified KASPERAGENT targeting patterns. Additionally, the use of what appear to be carefully crafted documents at the very least designed to look like official government correspondence suggests the malware may have been intended for a government employee or contractor who would be interested in the documents’ subject matter. More associated indicators, screenshots of many of the decoy documents, and descriptions of the activity are available via the March – May 2017 Kasperagent Malware Leveraging WindowsNewUpdates[.]com Campaign in ThreatConnect.

The post KASPERAGENT malware campaign resurfaces in the run up to May Palestinian Authority elections appeared first on IT SECURITY GURU.

from KASPERAGENT malware campaign resurfaces in the run up to May Palestinian Authority elections