Monthly Archives: July 2018

Researchers found that 100% of corporate networks tested in 2017 were vulnerable to insider attacks, with Wi-Fi networks and employees among the top areas of weakness.

During penetration testing performed as an internal attacker, Positive Technologies researchers were able to obtain full control of infrastructure on all corporate networks they attempted to compromise.

The difficulty of accessing critical resources could be considered “moderate” on only 7% of networks tested, according to the research report.

Penetrating the network perimeter has become easier over time, the report reveals, with the difficulty of accessing the internal network assessed as “trivial” in 56% of tests in 2017, compared with just 27% in 2016.

On average, Positive Technologies testers found two attack vectors (vulnerabilities) per client that would allow their internal network to be penetrated.

For one client, 10 different penetration vectors were detected, with the oldest vulnerability (CVE-1999-0532) dating back 20 years.

The report shows that corporate Wi-Fi networks are a convenient launch point for attackers, with 40% of companies tested using easy-to-guess dictionary passwords for access to their Wi-Fi networks. In addition, 75% of Wi-Fi networks were accessible from outside of company offices, and the same proportion failed to enforce per-user isolation. As a result, intruders can attack personal and corporate laptops connected to Wi-Fi without ever having to set foot in the target’s building.

Another weak point at most companies was found to be their employees, who are vulnerable to social engineering attacks. In testing, 26% of employees clicked a link for a phishing website and almost half of them proceeded to enter their credentials in a fake authentication form. One in six employees opened a simulated malicious file attached to an email and 12% were willing to communicate with intruders.

Leigh-Anne Galloway, analyst at Positive Technologies said that to gain full control over the corporate infrastructure, an attacker usually penetrates the network perimeter and takes advantage of vulnerabilities in out-of-date operating system (OS) versions.

“From this point, the sequence of events is predictable – the attacker runs a special utility to collect the passwords of all logged-in OS users on these computers. Some of these passwords might be valid on other computers, so the attacker repeats this process.

“Gradually, system by system, the attacker continues until obtaining the password of the domain administrator. At that point, it’s game over—the attacker can burrow into the infrastructure and control critical systems while staying unnoticed.”

Stopping insider attackers requires a comprehensive, in-depth defensive approach, the research report said, adding that basic security measures include keeping operating systems and applications up to date, as well as enforcing use of strong passwords on all systems by all users, especially administrators.

Positive Technologies recommends using two-factor authentication for administrators of key systems and refraining from giving administrator privileges to ordinary employees on their computers. Even if some systems have been compromised already, the report said rapid detection can still minimize the damage.

Organizations should also consider implementing security information and event management(Siem) and other systems to enable them to respond to security breaches effectively and in a timely manner.

via:  computerweekly

Hamas has been accused of running a sophisticated spyware operation designed to trick Israeli Defense Force (IDF) soldiers into downloading malicious apps.

Hundreds of IDF troops have been contacted by alleged fake profiles on social networking sites in what the military is dubbing Operation Broken Heart.

After building up a rapport with the soldier on WhatsApp, the ‘woman’ in question then typically sends them a link to download a convincing looking but malicious app.

These included dating apps with names like GlanceLove and ones featuring goals and live scores from the World Cup, such as Golden Cup.

One suspicious-looking profile which nevertheless had an Israeli number attached, belonged to a ‘Lina Kramer’ and was discovered in January. Those behind the campaign often try to cover up broken Hebrew by saying they’re immigrants, the IDF claimed.

“Not long after the first attacker approached us, we’d already begun receiving dozens of reports from soldiers about suspicious figures and apps on social networks,” said ‘Colonel A,’ head of the IDF Information Security Department.

“Upon investigating the reports, we uncovered hostile infrastructure that Hamas tried to use to keep in contact with IDF soldiers and tempt them to download apps that were harmful, and use the soldiers to extract classified information.”

The apps are said to be loaded with Trojan malware capable of switching on the mic and camera, accessing photos, phone numbers and email addresses of soldiers operating near the Palestinian border, and even gathering info on military bases.

The IT security department of the Israeli military has updated its guidance for soldiers in light of Broken Heart and is reportedly also sending fake messages to soldiers in a bid to raise awareness of the dangers of clicking on links from virtual strangers.

via:  infosecurity-magazine

Google is at the center of a new privacy storm after it was revealed that third-party app developers can read the content of Gmail users’ emails.

This “dirty secret,” as one source described it to the Wall Street Journal, affects users who choose to link their Gmail accounts to third-party applications for things like travel or shopping.

In so doing they’re asked to grant permissions for the app to “Read, send, delete and manage your email.”

However, many users may not be aware that human eyes are perusing their personal emails as well as computer algorithms. 

The report claimed that in the case of marketing app Return Path, employees of the company read around 8000 Gmail users’ emails to help develop the app. Email management app developer Edison Software also allowed its employees to read “thousands” of emails to hone the Smart Reply feature.

For its part, Google claimed to have strictly vetted those firms allowed access to users’ emails and said users are asked explicitly for their permission to do so, consistent with its policies.

However, when it comes to third-party apps, user privacy has become a major issue following the Cambridge Analytica scandal in which the details of 87m Facebook users were sold by an app developer for use in targeted political advertising.

The social network changed a policy in 2015 which allowed third party developers to access the data of app users’ friends.

Evgeny Chereshnev, CEO of privacy firm Biolink.Tech, claimed that the GDPR demands organizations improve awareness among users around how their data is being used.

“This type of access is going to going to continue, and people need to be aware that every time they connect to, or install, a third-party application on their mobile device, they are giving rights to those applications – often without even thinking about it,” he added.

“These applications gain access to users’ contacts, information about the user of the phone as well as things like GPS location, so this needs to be taken very seriously.”

via:  infosecurity-magazine

To create a secure digital profile, organizations need digital integrity. This principle encapsulates two things. First, it upholds the integrity of files that store operating system and application binaries, configuration data, logs and other crucial information. Second, it protects system integrity to make sure applications, endpoints and networks perform their intended functions without degradation or impairment.

Digital integrity is possible only through the merging of people, process and technology into a holistic framework. Such an effort can be difficult without proper guidance. Fortunately, several of the Center for Internet Security’s Critical Security Controls (also known as the CIS Controls) can help. Organizations should pay particular attention to these security measures:

• CIS Controls 3, 5 and 11 together help organizations continuously manage their vulnerabilities, harden critical endpoints and monitor for unexpected changes.
  
• CIS Control 17 aids organizations in creating a security awareness training program for their employees that helps maintain skills and competencies.
  
• CIS Control 6 supports organizations in their development of an audit log policy and implementation of proactive change management.

With those controls, businesses can abide by the following six steps to establish and maintain a profile of digital integrity.

Step 1: Establish a Configuration Baseline for Your Infrastructure

Organizations need to understand how their assets are configured. Towards this end, they can use CIS Controls 5 and 11 to create a configuration baseline that allows them to manage configurations, catalog acceptable exceptions and issue alerts for unauthorized changes. Enterprises should design that standard in such a way that it applies to all authorized endpoints.

Step 2: Determine the Critical Files and Process You Need to Monitor Your Baseline

With a baseline in place, organizations need to monitor it using their critical files and processes. They can apply CIS Controls 7-17 to refine their monitoring processes to include endpoint master images, OS binaries and web server directories. They should also focus on key processes that either touch any of those files or involve logging and alert generation.

Step 3: Document Your Static and Dynamic Configuration Monitoring Procedures

Organizations can use CIS Controls 3.1 and 3.2 to configure their automated scanning tools for vulnerabilities. They should consider availing themselves of both static and dynamic monitoring. The former is useful for periodic checks and assessments against fixed network parameters while the latter is advantageous for providing real-time notifications of change.

Step 4: Implement Continuous Vulnerability Monitoring

Once they’ve configured their scanning tools, organizations need to figure out the scope of their continuous vulnerability monitoring program. As part of this program, they should follow the guidance of CIS Control 3 to ensure there are notifications for suspicious activities that change baseline configurations or expose the organization to increased risk. They should also work to see how IT and security personnel can work together to strengthen digital integrity.

Step 5: Establish Formal Change Management Processes

Change management works best if organizations establish formal processes to evaluate requests and track outcomes. For example, they can consider creating a change control board that’s empowered to act on high-priority issues and using risk-rating to prioritize the remediation of discovered vulnerabilities. All the while, organizations should be on the lookout for change management problems that undermine digital integrity.

Step 6: Establish Training for Your Staff

Lastly, organizations should follow CIS Control 18 to establish security awareness training for their employees. They should begin by performing a gap analysis to understand the skills and behaviors needed for their employees. Using their findings as a baseline, enterprises can then deliver training to address the skills gap for all workforce members.

AN ONGOING PROCESS

Establishing and maintaining digital integrity is an ongoing process that requires constant engagement from organizations. To make the best out of your organization’s efforts to create a digital integrity profile, download this whitepaper.

via:  tripwire

The UK government has launched a new cybersecurity standard designed to set a baseline of mandatory security outcomes for all departments.

The Minimum Cyber Security Standard announced this week presents a minimum set of measures which all government departments will need to follow, although the hope is that they will look to exceed these at all times.

There is some flexibility in how they achieve these measures, depending on “local context.”

“Over time, the measures will be incremented to continually ‘raise the bar’, address new threats or classes of vulnerabilities and to incorporate the use of new Active Cyber Defence measures that Departments will be expected to use and where available for use by suppliers,” the document states.

There are 10 elements to the standard, divided into five key domains: identify, protect, detect, respond and recover.

These start with putting in place “appropriate cybersecurity governance processes,” identifying and cataloging sensitive information and operational services, and continuous management of access rights.

Next comes strict authentication of all users who want access to sensitive info and key services; protection of key systems from exploitation of known vulnerabilities; security for highly privileged accounts; detection of common cyber-attacks; well-defined incident response plans; and well-tested processes to ensure continuity of services in the event of compromise.

Security experts welcomed the best practice security standard.

“Over the past decade, the UK government has been aiming to simplify security — moving away from proscriptive mandatory requirements in security standards, towards describing the minimum security outcomes that need to be achieved,” explained FireEye director, Mike Trevett. “This standard helps do exactly that. For mature organizations it provides a solid framework for managing their information risk. For less mature organizations, it will help them structure how they manage information risk and guide their cybersecurity process development.”

Mark Adams, regional VP for UK and Ireland at Veeam, argued that the standard would help government departments manage risk in a new era of GDPR and NIS Directive, and sets a good example for other industries to follow.

“The emphasis on recovery, often an unsung hero with data management, is especially welcome,” he added. “No matter who you are or where you work, it has never been more important to ensure that your digital lives are permanently ‘on’. The ability to seamlessly move data to the best location across multi-cloud environments is now crucial for business continuity, compliance, security, and optimal use of resources for business operations.”

via: infosecurity-magazine

Financial regulators have ordered British banks and other financial services firms to provide a detailed plan for responding to IT outages and cyber-attacks.

The Bank of England (BoE) and the Financial Conduct Authority (FCA) published a joint discussion paper on Thursday, asking firms to report on their exposure to risk and incident response processes.

Firms have been given an October 5 deadline to provide their emergency back-up plans.

The discussion paper stresses the importance of operational resilience given today’s “hostile cyber-environment and large scale technological changes.”

“A resilient financial system is one that can absorb shocks rather than contribute to them,” said the BoE and FCA in a joint statement.

“The financial sector needs an approach to operational risk management that includes preventative measures and the capabilities – in terms of people, processes and organizational culture – to adapt and recover when things go wrong,” they said.

The paper also highlights the role of firms’ senior officials when responding to incidents, recommending setting “board-approved impact tolerances quantifying the level of disruption that could be tolerated.”

Regulators suggested two days as an acceptable limit for disruption to a business service, according to one scenario detailed in the discussion paper.

“Operational disruption can impact financial stability, threaten the viability of individual firms and financial market infrastructures, or cause harm to consumers and other market participants in the financial system,” states the paper.

Another important concept that regulators advised financial firms to address involves an effective communication plan.

“The speed and effectiveness of communication with the people and institutions most affected, in particular customers, should be at the forefront of every firm’s response,” the discussion paper noted.

Firms that fail to demonstrate adequate back-up plans could face fines and other sanctions, such as a requirement for higher capital levels or demanding additional IT investment.

via:  tripwire

Find out how Group FaceTime, Siri Shortcuts, Apple Watch improvements, and privacy updates could solve some healthcare headaches.

Improved privacy controls was a big news story from the WWDC 2018 keynote. With iOS 12, Safari will prevent Share buttons and comment widgets on webpages from tracking users without your permission. The Safari update also will make it harder for advertisers to track a device’s “fingerprint” to retarget ads.

One announcement related to data and health didn’t make it to the keynote stage: Apple has made it easier for people to share their health data with researchers and app developers. Apple has extended its privacy philosophy to this new feature as well, according to the press release:

“Health Records data is encrypted on iPhone and protected with the consumer’s iPhone passcode. When consumers choose to share their health record data with trusted apps, the data flows directly from HealthKit to the third-party app and is not sent to Apple’s servers.”

This is exactly the right approach. People will be more likely to trust Apple with their personal health info if they know that the information is not being sold to third parties to push drugs and devices.

This is not the only important Apple news for the healthcare world. Several updates to the phone and watch operating systems have the potential to solve communication challenges for patients and doctors and maybe even make healthcare a little more efficient.

Group FaceTime could be a game changer in hospitals

This announcement didn’t require a “This is really cool!” nudge from the speaker to get a reaction from the audience. It’s hard to imagine that anyone would hit the 32 person limit in the new Group FaceTime feature, but a hospital care team meeting could come close.

Assembling the care team is always a challenge, particularly for people with complex conditions. The challenge of getting several doctors in the same place at the same time is so great that many people are too intimidated to try. Even waiting for a hospitalist to show up for rounds is a big challenge. “Don’t leave” is the general rule when someone you love is in the hospital. This advice is very difficult to follow, but crucial if you want an update on your loved one’s condition or if you have a question to ask about the care plan.

Group FaceTime could be a game changer for families trying to get everyone—even the adult child living across the country—an update from the doctor about a person in the hospital. Hospitals could set FaceTime hours for doctors and other members of the care team to solve the problem of never being at the bedside when the doctor is.

Siri Shortcuts for improved medication adherence

During the WWDC 2018 keynote, an Apple manager showed off a Siri Shortcut that connected several tasks. The Shortcut estimated her evening commute time, sent a message to her roommate with the ETA, and turned on NPR in her car.

A Siri Shortcut could be a powerful tool to help people living with complex health conditions, as well as people taking multiple medications every day at different times each day. This tool could also help patients who have to take injections or follow multi-step instructions. For example, doctors don’t have a lot of time to explain how to use an asthma inhaler during a visit. A Siri Shortcut could use a calendar reminder to trigger a “Don’t forget your evening dose,” pull up a video that shows how to use the inhaler, and then record the action in the Health app.

Pharmacies could create Siri Shortcuts to share with customers to remind them to finish the entire bottle of antibiotics. People taking expensive meds—such as the Hepatitis C drugs that cost about $1,000 per pill—could get these reminders as well.

These Siri Shortcuts could be useful before a drug even hits the market. Pharma companies spend between $19 and $52 million on phase 3 clinical trials (that’s the stage when the new treatments are tested on humans). Giving an iPhone to participants could pay for itself in better trial results as well as improved compliance once (if) the drug makes it to the market.

Some clinical trials also sometimes require daily reporting from a participant such as getting on a scale or taking vital signs or reporting mood. Pre-programmed shortcuts could increase the chances of people remembering to do this too.

All this requires a person to have an iPhone or an Apple Watch, of course. The newer phones start at $699 and the watches at $329. Hepatitis C destroys your liver, so a course of meds that comes with an iPhone is still cheaper than a transplant and a lifetime of anti-rejection meds.

Hands-free voice activation for the Apple Watch

Kevin Lynch’s job during the WWDC 2018 keynote was to explain how the new Apple Watch features will help users “stay active and connected.” The VP of Technology at Apple shared a lot of updates about exercise—auto detection of workouts, tracking for more types of exercise like hiking, new features for runners. He also announced that Apple Watch users would no longer have to say “Hey, Siri,” to activate the assistant. Developers changed the interaction to be triggered by the wearer lifting his wrist to wake up Siri.

This gesture-based “on button” is a perfect fit for healthcare providers. There are many occasions when a nurse has to keep her hands clean, but could use her voice or a gesture to ask a virtual assistant to start paying attention or take an action. Gesture-based activation could also help hospital patients interact with technology if they are on pain meds or if their mobility is limited.

Developers working on voice-controlled software are starting to think in terms of “place-onas.” A play on “persona,” this term identifies the best way for humans to interact with technology based on location and activity. For instance, a surgeon could use her voice but not her hands to control software in the operating room—that place-ona would be characterized as “eyes busy, hands busy, ears free, voice free.”

Hospitals are full of “hands busy” place-onas. The idea of turning on a virtual assistant with a gesture has a lot of potential for making interactions with technology easier in healthcare settings.

via:  techrepublic

An American restaurant chain revealed it suffered a data breach affecting customers’ payment card details at most of its locations.

On 22 June, PDQ issued a statement explaining that a malicious attacker obtained unauthorized access to its computer system and acquired the names, credit card numbers, expiration dates and cardholder verification value (CVV) of some of its customers.

The restaurant chain first learned that some customers’ information might have been compromised on 8 June. It launched an investigation into the matter shortly thereafter and thereby determined that the period of unauthorized access lasted from 19 May 2017 to 20 April 2018. During that span of time, attackers made off with customers’ information used at all but three of the company’s locations.

PDQ wasn’t able to pinpoint an exact number of payment cards that the attackers might have exposed. For that reason, it urged customers who used a payment card at one of its affected locations during the breach period to monitor their credit reports and bank statements carefully. The restaurant chain also clarified what actions it’s taken since discovering the unauthorized access to its systems:

Caring for our customers is a top priority, and once we suspected a possible breach, we acted immediately to address the situation and stop the breach. We initiated an investigation and engaged a cybersecurity firm that conducted a comprehensive forensic review of the attack. We reported the breach to law enforcement and continue to work with authorities and state regulators. We have taken steps to further strengthen the security of our systems to help prevent this type of incident from happening again.

As of this writing, PDQ has traced the breach back to “an outside technology vendor’s remote connection tool.” This type of attack vector highlights the importance of organizations reviewing the digital security risks lurking in their supply chain.

via:  tripwire

Ticketmaster UK announced on its site yesterday that it identified malicious malware on June 23rd that had affected nearly five percent of their customers, allowing an unknown third-party access to customers’ names, email addresses, telephone numbers, payment details and login information between February 2017 and June 23rd, 2018.

The company says the breach can be traced back to an AI chat bot it uses to help answer customers’ questions when a live staff member is unavailable. The software’s designer, Inbenta, confirmed that the malware had taken advantage of one piece of JavaScript that was written specially for Ticketmaster’s use of the chat bot.

However, both companies have confirmed that as of June 26th the vulnerability has been resolved. In its statement, Ticketmaster told customers that affected accounts had been contacted and were offered a free 12-month identity monitoring service as a consolation as soon as the company became aware of the breach.

But, according to U.K. digital bank Monzo, Ticketmaster was informed of the breach in April.

In a statement released by its Financial Crime team today, Monzo describes the events from its perspective. On April 6th, the bank began to notice a pattern of fraudulent transactions on cards that had been previously used at Ticketmaster. Out of 50 fraud reports the bank received that day, 70 percent of cards had made transactions on Ticketmaster in the last several months.

“This seemed unusual, as overall only 0.8% of all our customers had used Ticketmaster,” said Natasha Vernier, head of Financial Crime at Monzo, in the statement.

On April 12th, Monzo says it expressed its concerns directly to Ticketmaster and that the company said it would “investigate internally.” In the week to follow, Monzo received several more Ticketmaster-related fraud alerts and made the decision to replace roughly 6,000 compromised cards over the course of April 19th and 20th, without mentioning Ticketmaster.

During that same period, Ticketmaster told Monzo that its completed internal investigation had shown no evidence of a breach.

This puts Ticketmaster in an awkward position, because under the 2018 General Data Protection Regulations (GDPR), companies are required to report information of a breach within 72 hours. Not 76 days. It’s uncertain, based on the timeline of events, if Ticketmaster will be held to these standards or the now-overturned 1998 standards, but either way the water is starting to heat up around the ticket dealer.

We’ve reached out to Ticketmaster for comment but the company did not reply by the time of publication.

Update 10:20 am/June 29th A Ticketmaster spokesperson provided the following comment:

When a bank or credit card provider alerts us to suspicious activity it is always investigated thoroughly with our acquiring bank, which processes card payments on our behalf. In this case, there was an investigation, but there was no evidence that the issue originated with Ticketmaster.

via:  techcrunch

Ticketmaster has alerted thousands of UK-based customers that it has learned of a security breach in which their payment information may have been exposed.

In a statement on its website, the popular ticketing service stated that it recently identified malicious software on a customer support product hosted by an external third-party supplier – Inbenta Technologies.

“As soon as we discovered the malicious software, we disabled the Inbenta product across all Ticketmaster websites,” said the company.

Ticketmaster says less than five percent of its global customer base has been impacted by the incident. A report by BBC claims it involves up to 40,000 UK customers.

This includes UK customers who purchased – or attempted to purchase – tickets between February and June 23, 2018, as well as international customers who did the same from September 2017 to June 23, 2018.

Customers in North America have not been affected.

As a result of Inbenta’s product running on Ticketmaster International websites, the ticketing service explained some customers’ personal data “may have been accessed by an unknown third party.”

The potentially compromised information includes name, address, email address, telephone number, payment details and Ticketmaster login details.

“We have contacted customers who may have been affected by the security incident,” said the company. “If you have not received an email, we do not believe you have been affected by this security incident based on our investigations.”

Ticketmaster added that forensic teams and security experts are further investigating to determine how the security breach occurred.

“We are working with relevant authorities, as well as credit card companies and banks,” the firm said.

Affected customers are advised to reset their passwords and monitor their account statements for any suspicious or fraudulent activity. The company is offering a free 12-month identity monitoring service to those impacted.

via:  tripwire