THE WORST CYBERSECURITY BREACHES OF 2018 SO FAR

By: Lily Hay Newman

Looking back at the first six months of 2018, there haven’t been as many government leaks and global ransomware attacks as there were by this time last year, but that’s pretty much where the good news ends. Corporate security isn’t getting better fast enough, critical infrastructure security hangs in the balance, and state-backed hackers from around the world are getting bolder and more sophisticated.

Here are the big digital security dramas that have played out so far this year—and it’s only half over.

Russian Grid Hacking

In 2017, security researchers sounded the alarm about Russian hackers infiltrating and probing United States power companies; there was even evidence that the actors had direct access to an American utility’s control systems. Combined with other high-profile Russian hacking from 2017, like the NotPetya ransomware attacks, the grid penetrations were a sobering revelation. It wasn’t until this year, though, that the US government began publicly acknowledging the Russian state’s involvement in these actions. Officials hinted at it for months, before the Trump Administration first publicly attributed the NotPetya malware to Russia in February and then blamed Russia in March for grid hacking. Though these attributions were already widely assumed, the White House’s public acknowledgement is a key step as both the government and private sector grapple with how to respond. And while the state-sponsored hacking field is getting scarier by the day, you can use WIRED’s grid-hacking guide to gauge when you should really freak out.

US Universities

In March, the Department of Justice indicted nine Iranian hackers over an alleged spree of attacks on more than 300 universities in the United States and abroad. The suspects are charged with infiltrating 144 US universities, 176 universities in 21 other countries, 47 private companies, and other targets like the United Nations, the US Federal Energy Regulatory Commission, and the states of Hawaii and Indiana. The DOJ says the hackers stole 31 terabytes of data, estimated to be worth $3 billion in intellectual property. The attacks used carefully crafted spearphishing emails to trick professors and other university affiliates into clicking on malicious links and entering their network login credentials. Of 100,000 accounts hackers targeted, they were able to gain credentials for about 8,000, with 3,768 of those at US institutions. The DOJ says the campaign traces back to a Tehran-based hacker clearinghouse called the Mabna Institute, which was founded around 2013. The organization allegedly managed hackers and had ties to Iran’s Islamic Revolutionary Guard Corps. Tension between Iran and the US often spills into the digital sphere, and the situation has been in a particularly delicate phase recently.

Malware Delivers Cryptor or Miner, Trojan’s Choice

By: Kacy Zurkus

A long-existing Trojan family still functioning today has spawned new malicious samples of malware, which infects its victims with either a cryptor or a miner, according to Kaspersky Lab.

Distributed through spam emails with documents attached, the samples are related to the Trojan-Ransom.Win32.Rakhni family. “After opening the email attachment, the victim is prompted to save the document and enable editing. The victim is expected to double-click on the embedded PDF file. But instead of opening a PDF the victim launches a malicious executable,” researchers wrote.

The Trojan decides which payload should be downloaded onto the victim’s PC at the moment the malicious executable is launched. “The fact that the malware can decide which payload it uses to infect the victim provides yet another example of the opportunistic tactics used by cybercriminals,” said Orkhan Mamedov, malware analyst, Kaspersky Lab.

“They will always try to benefit from their victims: either by directly extorting money (cryptor), by the unauthorized use of user resources for their own needs (miner), or by exploiting the victim in the chain of malware distribution (net-worm).”

Since first discovered in 2013, the malware writers have changed the way their Trojans get keys. Where they were once locally generated, they are now received from the command and control (C&C). They’ve also altered the algorithms used, going from exclusively using a symmetric algorithm and evolving through a commonly used scheme of symmetric and asymmetric.

Analysts have recently discovered 18 symmetric algorithms used simultaneously. The crypto-libraries are also different, as is the distribution method, which has ranged from spam to remote execution. In the recently spotted samples, criminals added a new mining capability feature.

More: https://www.infosecurity-magazine.com/news/malware-delivers-cryptor-or-miner/

For Financial Services, Encryption is Essential – But So Is Performance

By: Aamir Lakhani

The financial services industry is one hit hardest by the heightened expectations of consumers to access information, receive help, and conduct transactions anywhere and at any time via their mobile devices. By 2025, Millennials are expected to generate 46 percent of all U.S. income, and yet over a fifth of them have never written a physical check to pay a bill. Instead, 38 percent use apps and mobile tools to make bill payments, and 71 percent consider their banking relationship to be transactional rather than relationship-driven.

In addition, more than one-quarter (27 percent) of Millennials are completely reliant on a mobile banking app. In fact, they are 1.3 times more likely than Gen-Xers and 2 times more likely than Baby Boomers to rely on a mobile banking app for regular banking activities.

For financial firms, the ability to offer such services represents a competitive advantage, with 75 percent of banks making investments to create and improve a customer-centric digital business model. Aside from benefitting consumers, greater accessibility to data on various devices and applications can also improve employee efficiency, meeting the common request for more open networks.

Personal Data at Greater Risk

This shift to online consumer banking has led to increasing data traffic volumes as more users rely on applications and endpoints to interact with their personal data. Addressing this growing volume of traffic has led many financial institutions to adopt cloud, and increasingly, multi-cloud environments. Which means that personally identifiable information (PII) is now regularly travelling across different network domains.

While this increases the accessibility of data for consumers, thereby making financial services firms more competitive, it also means that their data spans a larger potential attack surface, making it more susceptible to cyberattacks. As these attacks become more sophisticated, leveraging artificial intelligence and automation to more effectively detect and exploit vulnerabilities, financial services firms not only need to engage in digital transformation but to also do so securely – protecting the private data of consumers.

Greater Interest in Encryption

Regulators are taking a close look at financial services firms to ensure they are implementing the security controls necessary to keep user data private. One of the core security features being required by these bodies is encryption. Encryption refers to converting plain text into secure code that can only be deciphered with a decryption key. This ensures that data in motion across the network and the web, as well as data at rest in the cloud or data center, cannot be seen by anyone without the key – even if it is stolen – adding a strong layer of security.

Encryption for financial services firms is being recommended today by several regulatory guidelines, including the Federal Financial Institutions Examination Council (FFIEC) and the new General Data Protection Regulation (GDPR).

More: https://www.csoonline.com/article/3284351/security/for-financial-services-encryption-is-essential-but-so-is-performance.html

Facebook and Google use ‘dark patterns’ around privacy settings, report says

By: BBC NEWS Technology

Facebook, Google and Microsoft push users away from privacy-friendly options on their services in an “unethical” way, according to a report by the Norwegian Consumer Council.

It studied the privacy settings of the firms and found a series of “dark patterns”, including intrusive default settings and misleading wording.

The firms gave users “an illusion of control”, its report suggested.

Both Google and Facebook said user privacy was important to them.

The report – Deceived by Design – was based on user tests which took place in April and May, when all three firms were making changes to their privacy policies to be in compliance with the EU’s General Data Protection Regulation (GDPR).

Illusion

It found examples of

  • privacy-friendly choices being hidden away
  • take-it-or-leave it choices
  • privacy-intrusive defaults with a longer process for users who want privacy-friendly options
  • some privacy settings being obscured
  • pop-ups compelling users to make certain choices, while key information is omitted or downplayed
  • no option to postpone decisions
  • threats of loss of functionality or deletion of the user account if certain settings not chosen

For example, Facebook warns anyone who wishes to disable facial recognition that doing so means that the firm “won’t be able to use this technology if a stranger uses your photo to impersonate you”.

The report concluded that users are often given the illusion of control through their privacy settings, when they are not getting it.

“Facebook gives the user an impression of control over use of third party data to show ads, while it turns out that the control is much more limited than it initially appears,” the report said.

More: https://www-bbc-co-uk.cdn.ampproject.org/c/s/www.bbc.co.uk/news/amp/technology-44642569

Google reportedly allowed outside app developers to read user emails despite privacy promises.

By: Elizabeth Chuck

The tech giant has allowed hundreds of outside software developers to access the inboxes of Gmail users, the Wall Street Journal reported on Monday.

Google — which a year ago vowed to clamp down on Gmail users’ privacy — has reportedly been letting outside app developers scan millions of inboxes, according to a Wall Street Journal examination.

Despite the promise from Google last June to stop scanning Gmail messages for the purpose of selling targeted ads, the tech giant has been allowing hundreds of outside software developers to access inboxes, the Wall Street Journal reported on Monday.

The app developers were reportedly granted access to the inboxes of users who signed up for email-based tools, such as price comparisons or travel-itinerary planners, the Journal said. By opting in to those tools, users were potentially exposing entire Gmail messages, email addresses, and other pieces of information to third parties, it added.

Over 90 percent of endpoint security incidents involve legitimate binaries

By: Brian Jackson

Cybercriminals use a variety of tactics to cloak their activity and that includes using trusted tools, like PowerShell, to retrieve and execute malicious code from remote sources.

A new report from eSentire reveals that 91 percent of endpoint incidents detected in Q1 2018 involved known, legitimate binaries.

“eSentire Threat Intelligence data shows heavy use of legitimate Microsoft binaries, such as PowerShell and mshta.exe, popular tools for downloading and executing malicious code in the initial stages of a malware infection,” says Eldon Sprickerhoff, founder and chief security strategist, eSentire. “PowerShell can also be leveraged by adversaries to reduce their on-disk footprint and evade detective controls by operating in memory and obfuscating command-line parameters.”

The report also shows a dramatic increase in attacks targeting popular consumer-grade routers, like Netgear and Linksys (who between them have over three-quarters of the market) Researchers saw a 539 percent increase from Q4 2017 to Q1 2018. Increased targeting of routers was first observed in late 2017 when the Reaper Botnet gained media attention. Additionally, intrusion attempts across industries grew 36 percent, mostly due to DNS manipulation in consumer-grade routers. These attacks allow attackers to redirect victims to malicious infrastructure to achieve a variety of results, including malware and phishing landing pages.

“The increase in attacks against consumer network devices can be attributed to the perceived value in recruiting devices for attacks against businesses, as opposed to leveraging them as potential network entry-points,” says Sprickerhoff.

Other findings are that phishing rose 39 percent across industries, with DocuSign, Office 365, and OneDrive being the most popular lures. Office 365 showed the highest success rate and popularity for attacks, growing five fold over 2017.

More: https://betanews-com.cdn.ampproject.org/c/s/betanews.com/2018/06/29/security-legitimate-binaries/amp/

The biggest cybersecurity risk to US businesses is employee negligence, study says

By: Carmen Reinicke

Hackers are no match for human error.

Employee negligence is the main cause of data breaches, according to a state of the industry report by Shred-it, an information security company. The report found that 47 percent of business leaders said human error such as accidental loss of a device or document by an employee had caused a data breach at their organization.

Over 1,000 small business owners and C-suite executives in the United States were surveyed online in April for the report.

In 2017, data breaches cost companies an average of $3.6 million globally, according to a separate report from the Ponemon Institute.

For smaller businesses especially, that price tag could wipe out the entire firm. For a company of any size, a data breach can also cheapen a company’s brand and negatively impact their ability to do work, according to Shred-it.

Basic bad habits

Many of the most dangerous offenses by employees are things that they might not even think about as risky behavior. A surprising number of workers surveyed by Shred-it admitted to bad security behavior at work; over 25 percent said that they leave their computer unlocked and unattended.

Even taking notes on paper, or leaving papers out on your desk, can have unintended consequences.

“When you use paper to document notes or meeting minutes it raises the risk of you leaving that information behind,” said Kalsi. A simple mistake can backfire; earlier this year, a Department of Homeland Security employee left sensitive Super Bowl security documents on a plane.

Remote work

Working from Starbucks or even your living room may be nice and convenient, but it could also be opening your company up to a dangerous data breach.

Remote work is increasing. Over half of hiring managers agree that remote work is more common and a third think it is the future of work, according to a report on the future of work from Upwork, a freelancing platform.

Cybersecurity practices have not yet caught up. A majority of executives agree that the risk of a data breach is higher when an employee works remotely, yet few businesses have comprehensive off-site policies in place for those workers. Over half of small business owners said they have no policy for remote workers.

In addition, contractors or external vendors also open up companies to data breaches. The Shred-it survey found that 1 in 4 executives and 1 in 5 small business owners said that an external vendor was the cause of a data breach at their company.

This is because many businesses don’t do a thorough job of managing access when a relationship with an external vendor ends, according to Kalsi.

“There needs to be better governance around these things,” he said.

More: https://www-cnbc-com.cdn.ampproject.org/c/s/www.cnbc.com/amp/2018/06/21/the-biggest-cybersecurity-risk-to-us-businesses-is-employee-negligence-study-says.html

RAMpage attack could give hackers access to personal information stored in your Android phone

By: Alan Friedman

An attack on Android phones that can change what is stored in the Random Access Memory (RAM) inside a handset, can ultimately lead a hacker to gain control of the device. This attack, called RAMpage for obvious reasons, can theoretically grab passwords stored in a password manager, emails, photos, and documents stored on the unit. It is the subject of a research paper released today from three universities in India, Amsterdam and UC Santa Barbara.
RAMpage is an attack based on the Rowhammer bug that takes advantage of the tightly packed circuitry inside a RAM chip. By electrically attacking one part of a RAM chip, memory cells leak and interfere with other memory cells. Keep in mind that this is not necessarily a flaw, but is a “side effect” of RAM. While some leakage between rows of memory cells is normal, and the RAM chip able to recover, a hacker who attacks the same row repeatedly can flip the bits inside the cells, which use a binary system. The flip, from “0” to “1” or from “1” to “0” will alter the data stored in RAM.
RAMpage can be unleashed on Android devices using LPDDR2, LPDDR3 and LPDDR4 RAM. That means that any Android phone produced in 2012 or later is vulnerable. This is obviously a complicated attack, and while Android devices are currently the target at the moment, eventually iOS devices could be in the crosshairs.

OpenBSD Disables Intel Hyper-Threading to Prevent Spectre-Class Attacks

By: Swati Khandelwal

Security-oriented BSD operating system OpenBSD has decided to disable support for Intel’s hyper-threading performance-boosting feature, citing security concerns over Spectre-style timing attacks.

Introduced in 2002, Hyper-threading is Intel’s implementation of Simultaneous Multi-Threading (SMT) that allows the operating system to use a virtual core for each physical core present in processors in order to improve performance.

The Hyper-threading feature comes enabled on computers by default for performance boosting, but in a detailed post published Tuesday, OpenBSD maintainer Mark Kettenis said such processor implementations could lead to Spectre-style timing attacks.

“SMT (Simultaneous multithreading) implementations typically share TLBs and L1 caches between threads,” Kettenis wrote. “This can make cache timing attacks a lot easier, and we strongly suspect that this will make several Spectre-class bugs exploitable.”

In cryptography, side-channel timing attack allows attackers to compromise a system by analyzing the time taken to execute cryptographic algorithms. By measuring the precise time taken for each operation, an attacker can inversely calculate the input values to reveal confidential information.

Meltdown and Spectre-class vulnerabilities discovered earlier this year would be excellent examples of timing attacks.

Therefore, to prevent users of the OpenBSD operating system from such previously disclosed, as well as future timing attacks, the OpenBSD project has disabled the hyper-threading feature on Intel processors by default, as part of system hardening.

More: https://thehackernews.com/2018/06/openbsd-hyper-threading.html

Facebook Is Patenting Technology to Spy on You Through Your Smartphone Camera and Microphone

By: Minda Zetlin

Is Facebook using your computer camera to read your facial expressions and determine how you feel about what you see on your screen? Is it using your phone’s microphone to eavesdrop on you and find out what television programs you watch? Is it tracking your phone’s location in the middle of the night to find out where you live?

Maybe not, or at least not yet. But the company has applied for patents to do all these things, and many others, all of them intended to study your behavior and personality and even predict your future, in order to better serve Facebook’s customers. You may think that’s you, but it’s actually Facebook’s advertisers, which account for 99 percent of its revenue.

Sahil Chinoy, a graphics editor for The New York Times, recently reviewed hundreds of Facebook’s patent applications and appropriately dubbed many of them “creepy.” Here are four of the creepiest:

1. A patent for using your device’s front facing camera to read your facial expressions and determine how you feel about what you see on the screen.

2. A patent for using your phone’s microphone to eavesdrop on you, determining which television programs you’re watching and whether the ads are muted. It would also use the electrical signals emitted by your television to identify programs.

3. A patent that would track your weekly routine. It might also use your phone’s location in the middle of the night to try to determine where you live (or at least sleep).

4. A patent that would use your posts and messages–and credit card transactions–to predict your major life events, such as a birth, marriage, graduation, or death. Advertisers particularly value knowing when such events might occur soon.

Does all this make the little hairs on the back of your neck stand on end? Not to worry, says Facebook VP Allen Lo, head of intellectual property. “Most of the technology outlined in these patents has not been included in any of our products, and never will be,” he told the Times in an email.

But, any way you look at it, that’s not a comforting response. Applying for a patent isn’t a quick or easy matter. It typically involves tens of thousands of dollars worth of attorney’s fees. It’s certainly true that companies sometimes patent a concept in anticipation that either they will be sued by a company using similar technology or will themselves initiate a lawsuit someday. But there’s simply no reason for Facebook to go to the time and expense of patenting all these sophisticated and invasive methods of data collection unless it plans to use them or at least thinks it might use them someday. Whether it ever uses these precise technologies, the company clearly intends to gain ever more precise information about its members and nonmembers so as to sell that info to those who can make use of it, or help advertisers more perfectly target their ads.

Facebook has repeatedly said it gives users total control over the information they voluntarily share with the platform. When pressed, Facebook CEO Mark Zuckerberg admitted to Congress that the company gathers “shadow profiles” on non-Facebook users–but insisted that it is simply tracking publicly available data.

But what about data Facebook collects, or may collect in the future, by spying on users through their cameras or listening through their smartphone microphones? Will it ask people to opt in before it begins gathering information this way? It’s hard to imagine even the most hard-core Facebook user giving permission for practices like these.

Can we trust Facebook not to do this stuff without asking permission first?

More:  https://www.inc.com/minda-zetlin/facebook-patents-spying-smartphone-camera-microphone-privacy.html