STE WILLIAMS

Ransomware attackers collected an average of around $84,000 from victim organizations, up from $41,000 in Q3 of 2018, Coveware says.

It’s clearly a great time for cybercriminals to be in the ransomware business.

New data from security vendor Coveware shows that in the fourth quarter of 2019, attackers on average collected more than double in ransom money from enterprise victims than they did in the previous quarter. By monetizing a mere 2% or so of their attacks, most ransomware operators were able to generate a sizable profit on their investments last quarter, Coveware estimates.

Coveware analyzed ransomware victim data collected from its incident response engagements as well as from IR firms using its platform, in the last three months of 2019. The data showed that average ransomware payments soared 104% from $41,198 in the third quarter to $84,116 in the fourth quarter. On average, a ransomware attack cost victim organizations some 16.2 days in downtime, compared to just 12.1 days in the third quarter of 2019.

Half of the victims who forked over a ransom paid $41,179 or less, while half paid more. At the high-end, some victims paid up to $780,000 to get the decryption keys for unlocking their data, while at the other end of the spectrum other victims paid as little as $1,500. The wide range in ransom demands and payments reflected the sheer diversity of the threat actors that were active last quarter, Coveware said in a report released Monday.

“The doubling of the amount was surprising,” says Bill Siegel, CEO and co-founder of Coveware. “I think we expected it to rise, but had not expected the impact of large enterprise attacks to pull the average up as much as it did.”

Coveware’s report is one of several in recent weeks that have highlighted a disturbing increase in ransomware attacks on enterprise organizations. A lot of it appears to be driven by the willingness of many victims to negotiate with attackers rather than attempting to restore data on their own. Security experts and law enforcement officials have been strongly advocating the latter, advising organizations against paying the attackers.

In many cases, attackers have begun sharply ratcheting up the pressure on victims by exfiltrating data before encrypting it and then threatening to leak the data publicly if it’s not paid. According to Coveware, prior to the fourth quarter less than 5% of enterprise cyber-extortion incidents involved data exfiltration and exposure. But such incidents are now steadily increasing. The trend more or less began in summer 2019 with malware strains like BitPaymer derivative DopplePaymer, Maze, and more recently, Sodinokibi.

“Cybercrime is a business, and when a ransomware group can acquire victims cheaply and repeatedly, they will keep doing so,” Siegel says. Nearly six in 10 attacks last quarter (57%) were enabled through the use of stolen Remote Desktop Protocol (RDP) credentials, which are available in underground markets for less than $100, he notes. “This will continue until the profit margins go down for these cheap and simple attacks. As of right now, the margins are great for cyber crime, so it marches on.”

A Proofpoint survey of more than 600 security professionals around the world showed that slightly more than half of all organizations infected with ransomware in 2019 elected to pay the demanded ransom. Sixty-nine percent got their data back after the initial payment; 22% were not able to regain access to locked-up data and systems; 9% got hit with additional demands, and 2% ended up paying a higher amount than the initial demand.

A Dicey Proposition

Coveware’s data, meanwhile, showed that 98% of victims that paid the demanded ransom received a working decryption tool. On average, companies that received a decryptor were able to recover about 97% of their locked data.

Generally, organizations that had to deal with the more sophisticated ransomware operators — such as those behind the highly prolific Ryuk and Sodinikibi strains— stood a much higher chance of getting their data back after paying a ransom. Groups associated with ransomware such as Rapid, Phobos and Mr.Dec —generally targeted at smaller organizations — tended to have higher default rates. Victims of these strains were at much higher risk of not getting their data back even after a ransom payment, Coverware found.

Companies with no backups, or those with compromised backups that don’t have the ability to get their business back any other way, are often the ones that end up choosing to make a ransom payment, Siegel says. That’s the only reason to even contemplate negotiations. Those who think paying a ransom will help make recovery faster are making a big mistake, he says.

“In our experience that is absolutely false, and in practice it does not happen,” Siegel says. “Once companies realize the extent of the remediation work necessary just to cleanse their production network, such that you could safely decrypt it, they realize that on a risk and time adjusted basis, restoring from backups is always a better option.”

RiskSense CEO Srinivas Mukkamala, whose company just launched a service to help organizations identify exposure to specific ransomware strains, says paying ransoms can be a dicey proposition. There have been numerous incidents where the key supplied by attackers after making a payment does not work, he says. Also, “paying the ransom obviously funds the industrial complex the bad guys are building, so we’re not fans of that,” he notes.

At the same time, the backup often has the same vulnerability that enabled the ransomware attack to occur in the first place, so there’s a danger the same vulnerability could be exploited again, he says.

“The best possible path is great up-front hygiene to patch systems such that known ransomware can’t execute,” Mukkamala says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/risk/average-ransomware-payments-more-than-doubled-in-q4-2019/d/d-id/1336893?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The US has no central system for recording SWATting attacks, but there is growing evidence the problem is going from bad to worse.

According to The New York Times, the latest victim was Instagram CEO Adam Mosseri, whose houses in New York and San Francisco were surrounded in early November by heavily armed SWAT (Special Weapons and Tactics) teams after hoax phone calls claimed hostages were being held there.

After what is described as “tense, hours-long standoffs” the police realised there were no hostages and so the incident wad filed along with the lengthening list of SWATting hoaxes the media has reported on.

But that’s the power of a successful SWAT. Once the wheels of response are in motion, it can be hard for the authorities to distinguish a real incident from an imaginary one designed to intimidate and harass.

The motive for the attack? The newspaper speculated that it was probably Instagram’s recent crackdown on political content which violates its rules, fuelled by a dark web awash with the contact numbers and home addresses or prominent executives.

Tech companies, including Facebook, have become such a regular target for SWATting that a growing number of companies have reportedly had to brief executives that they believe might be targeted.

Things are so bad that registries of at-risk individuals have reportedly been drawn up in at least one US city so local police can check first before sending out SWAT teams.

From prank to DoS

SWATting seems to have gone viral around 15 years ago, driven largely by gamers getting back at rivals. For the most part it was written up as a largely harmless (albeit a huge waste of policing resources) prank.

Then a man whose address police had been sent to as part of a gaming wager was shot and killed and the penny finally dropped – suddenly SWATting wasn’t harmless after all.

SWATting has also been used to attempt to silence and intimidate journalists – as Brian Krebs found out in 2017 – and even senior US politicians.

Interestingly, SWATting has recently evolved beyond the idea of targeting the homes of individuals to take on entire transport systems and schools, as was the case in a 2018 incident that targeted a United Airlines flight.

The authorities must now be worried that SWATting is rapidly turning into a viable type of denial-of-service (DoS) attack on physical assets that could, like its internet equivalent, turn into an economic drag.

Heading this off will mean addressing underlying weaknesses that make SWATting possible, starting with the eagerness with which US police forces send heavily armed officers to attend incidents without checking whether that’s necessary.

It hasn’t escaped attention that SWATting is largely a US phenomenon, aided by the devolved nature of policing in the country which gives them leeway over the criteria set for armed response.

Naturally, there have been moves to make punishments tougher but this will never be a solution on its own – it’s simply too easy to spoof calls from anywhere in the world, so many culprits will remain hard to trace or beyond the reach of US laws. Closing that hole requires technical solutions that could take years to come to fruition.

For individuals at least, there is a simpler solution – make it harder for SWATters to find YOU by being more careful about keeping home addresses and phone number private.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/G3_eKlvYmFs/

In an effort to keep users safe – and when it comes to Tinder or other dating apps, that means keeping them from being raped, murdered or even, in one horrific case, dismembered – Tinder is incorporating a panic button into the app, as well as Artificial Intelligence (AI)-enabled photo recognition to help stop catfishing.

A catfish is an online swindler who sets up a bogus persona on social media, particularly to fleece somebody in a romance scam. It’s also used by a rogue’s gallery of predators.

Like, for instance, the guy who pretended he was Justin Bieber, but who was actually a 35-year-old UK man who was subsequently imprisoned for talking children into stripping in front of a webcam.

Or Craig Brittain, former owner of the revenge porn site IsAnybodyDown, who conned women out of nude images by posing as a woman on a Craigslist women’s forum.

The news about the panic button and other new safety features was announced on Thursday by Tinder’s parent company, Match Group, which also owns pretty much all of the popular dating/hookup apps, including Match, PlentyOfFish, Meetic, OkCupid, OurTime, Pairs, and Hinge.

Match says it’s hoping to roll out the new technologies to all of its brands, starting tomorrow with Tinder users in the US.

To run the new, location-based emergency services, Match has invested in a company called Noonlight. Noonlight’s technologies will let users quickly and subtly contact emergency services for help without having to call or text an emergency number.

Match says it’s the first dating company to invest in an emergency response system that will enable Tinder users in the US to get help directly sent to them.

Match Group CEO Mandy Ginsberg:

A safe and positive dating experience is crucial to our business.

We’ve found cutting-edge technology in Noonlight that can deliver real-time emergency services – which doesn’t exist on any other dating product – so that we can empower singles with tools to keep them safer and give them more confidence.

Panic button

This is a welcome service, but it’s not one without privacy tradeoffs. Users will be required to hand over a lot of personal data, including access to their geophysical location and details about who they’re hooking up with: specifically, users will have to enter the name of the person they plan to meet, as well as when and where, in a Tinder Timeline feature.

If things get dicey, you’ll be able to hold down the panic button to discreetly alert emergency services. Once an alarm is triggered, Noonlight’s dispatchers will reach out to check on a user and alert emergency responders if need be, providing them with the information that a given user has shared on their Timeline.

Catfishing

Also from tomorrow, Tinder will be outfitted with Photo Verification: a way to help verify a match’s authenticity so users have a chance to meet somebody who’s for real, as opposed to, say, these two. Or a bunch of prisoners who pretend to be hot, young girls.

The photo verification will run on – naturally – more of your personal data. It’s going to ask users to verify their identity by taking several real-time selfies that “trusty humans” and facial recognition will use to verify that your profile pictures are really of you.

Trade-off

It’s hard to argue with Match’s efforts to fight catfishing and violent crime against users who potentially put themselves at risk whenever they show up on a date. If online connectivity can help save lives and prevent assault, why not hand over personal data?

Many users will likely consider it a worthwhile trade-off. But there are, in fact, good reasons to think twice before giving away yet more access to our data than our devices are already snatching from us unawares (including Tinder), and facts about who we’re seeing and when.

For example, last week, we asked this question: What do online file sharers want with 70,000 Tinder images?

That’s the data cache that was found on several undisclosed websites, likely as the result of the site’s images being scraped with an automated script. It wasn’t the first time that Tinder has been scraped, either: it also happened in 2017 when a researcher working for Google subsidiary Kaggle swiped 40,000 Tinder images in order to train AI. He not-so-charmingly referred to the Tinder users as “hoes” in his source code, for whatever that’s worth.

As researcher Aaron DeVera pointed out, such a dump is “very valuable for fraudsters seeking to operate a personal account on any online platform.” Naked Security was dubious about that possibility for various reasons: please do read Danny Bradbury’s writeup for the discussion.

At any rate, besides catfish-fighting, human-assisted facial recognition and the new panic button, Tinder will also be acquiring a harassment detection prompt – called “Does This Bother You?” – that will be powered by machine learning, as well as a revamped in-app Tinder Safety Center.

Readers, what do you think of these new security features? Will they ease your worry about friends and family who are out on the town with internet-supplied strangers? We’d welcome your thoughts in the comment section below.

Finally, an “OK, Boomer” note: Please be safe, daters, and if you’ve got more hints on how to do that, please chime in.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/knmm8T6klTY/

Aleksai Burkov, a Russian cybercriminal responsible for over $20m in credit card fraud, pleaded guilty last week for access device fraud, identity theft, computer intrusion, wire fraud, and money laundering, after being indicted four years ago for operating a carding website called Cardplanet. This website, which ran from 2009 until 2013, served as a forum for cybercriminals to buy and sell credit card details stolen from victims. It facilitated the sale of over 150,000 cards that criminals then used in fraudulent transactions totalling at least $20m, according to the indictment.

Burkov, who lived in Tyumen and in St Petersburg, offered refunds on invalid card data, along with a card checking service that ensured a stolen card was still valid. He took payments through services including Liberty Reserve, which the US shut down in 2013.

He also ran another invitation-only website reserved for elite cybercriminals, according to the district attorney’s office for the Eastern District of Virginia, where the case against him was filed.

Burkov ran a tight due-diligence campaign for access to his site. Before accepting new members, he required three existing members to vouch for them. They’d also have to put up around $5,000 in insurance in case the new member failed to pay. Any members known to have been arrested were banned to stop informants from infiltrating and exposing the rest of the network.

In spite of these measures, investigations by law enforcement eventually compromised him. In December 2013 he sold stolen data for six credit cards to an undercover agent via his site. He was arrested in Israel two years later and extradited to the US in November last year.

Burkov’s original indictment called for penalties of $21,400,000. His plea bargain sees him paying back at least $1,005,977 and an iPhone 6 that were seized from him during his arrest, along with any other proceeds or property he still has stemming from the fraud.

When sentenced on 8 May 2020, he faces up to 15 years in jail, although prosecutors point out that sentences are often less than the potential maximum.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/u1COzi9wu6w/

Cisco has confessed to a vulnerability in its Webex Meetings Suite sites and Webex Meetings Online sites that allowed an “unauthenticated” attendee sitting on a workstation far, far away to join a “password-protected meeting without providing the meeting password”.

According to the security advisory, which was rated as “High”: “The vulnerability is due to unintended meeting information exposure in a specific meeting join flow for mobile applications.”

This is where the user goes to the meeting link in a browser – for which the meeting ID is needed. The browser then launches the Webex app, and it is within this flow that the vulnerability could be exploited.

They wouldn’t have snuck in unnoticed, however.

“A successful exploit could allow the unauthorized attendee to join the password-protected meeting. The unauthorized attendee will be visible in the attendee list of the meeting as a mobile attendee,” said Cisco.

Vulnerable products include Cisco’s Webex Meetings Suite and Webex Meetings Online site releases earlier than 39.11.5 and 40.1.3. The on-premises Cisco Webex Meetings Server (which incidentally will be end of life in July) is not affected.

There are no workarounds, Cisco said, but the bug has been fixed and users will not need to update their mobile or desktop Webex applications.

The vulnerability was discovered as a result of a support case, and according to the advisory, although there was no previous public disclosure: “Cisco PSIRT [Product security Incident Response Team] is aware of active use of the vulnerability that is described in this advisory.”

As vulnerabilities go, it could be worse. Having said that, unauthorised attendance at an online meeting could have consequences, such as employees learning management secrets, industrial espionage, insider trading, or worse.

Cisco also released a batch of security updates earlier this month – including one for Webex Video Mesh. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/27/cisco_webex_bug_let_anyone_join_a_passwordprotected_meeting/

There’s an art to reporting security metrics so that they speak the language of leadership and connect the data from tools to business objectives.

Much is at stake when reporting security metrics. This data is critical for management to evaluate security programs and justify further investment in security tools. The value of metrics comes from their ability to tell larger stories about a business that resonate with key stakeholders. You lose that opportunity if security teams use the wrong metrics — those that are overly technical or detailed — or miscommunicate the right metrics. Here are some of the more common reporting mistakes and best practices for avoiding them. 

Generic or Overly Technical Metrics
This problem involves generic reports that are focused on the number of attacks that took place in a given time period and the percentage that were prevented versus those that had an impact. Those numbers don’t reflect the maturity of a security program.

Metrics that are shallow or too high level don’t effectively tie back to specific business strategies or critical objectives. They have limited value and don’t track the overall effectiveness of security operations. Relying on simple metrics to tell the larger risk story can have an unintended budgetary impact. For example, if consistently reporting that 99% of known cyberattacks are being prevented, why would leadership support a budget to add a new solution to the security portfolio?

On the flip side are metrics that are too technical or detailed for the board to understand. For instance, leaders don’t need a breakdown of each vulnerability by operating system or platform. Why? It’s not clear how that information relates back to critical business functions or strategic objectives — in other words, the language of the business. Faced with data they don’t understand, board members not only will lose interest in the conversation, they may even question the security leadership’s strategy.

Connect Metrics to Business Outcomes 
A more effective way of reporting to leadership is to speak directly to the risk level associated with critical business functions, the core contributors to this risk, and the actions being taken. For example, security leaders should be ready to answer these questions: 

• What kinds of attacks are we prepared to defend against? 
• Where do we have deficiencies as an organization, and what risks to business operations are elevated as a result? 
• What is being done to reduce such risks (from a business and technology perspective)? 
• Has a risk grown in significance? 
• What is the proposed strategy to reduce the risk to an acceptable level? 

The storytelling needs to focus on business risk rather than technical facts. 

Let’s dive into an example. Company X has identified that nontraditional competitors are taking market share by solving long-standing complaints or requests from customers. One of the requests is the ability to place online orders 24/7 and to have such orders fulfilled within 24 hours.

From a security practitioner’s perspective, this can be interpreted as “no critical business operations or capabilities supporting online ordering or fulfillment can be affected by a cyberattack and if unavoidably affected, must be rapidly recovered.” When viewed from this perspective, the metrics of value become clear. What are the top risks to enabling and protecting related critical business capabilities and the underlying supporting technology? What is the likelihood of risk actually happenning? What is the potential monetary impact associated with the likely event, and what are the key risk contributors? What is already being done, and what is the proposed cross-function strategy to mitigate residual risk?

Metrics Overload
Often, security teams will deliver an overwhelming amount of metrics and data to the technical teams responsible for fixing these vulnerabilities through software updates and/or configuration changes. For example, these metrics often detail the number of critical, high-, medium-, and low-risk vulnerabilities across the entire environment with little to no logical prioritization.

But not all vulnerabilities are equally important or have equal business effects. Generic metrics with highly extensive reports listing the details and remediation actions of all identified vulnerabilities often fail to result in a meaningful outcome. Executives reading them can get overwhelmed with the amount of information or they can misunderstand it. Too many metrics can deter people from taking action or cause miscommunication, delaying remediation and increasing the likelihood of exploitation and business impact.

Focus on the Biggest Risks
Instead, help technical teams understand the most important vulnerabilities that require their attention and what progress needs to be made. Again, this needs to be tied back to key business objectives and prioritized based on those functions. 

Let’s refer back to the Company X example and its objective to deliver 24/7 online ordering and order fulfillment capabilities to its customers. Vulnerabilities with a high potential for exploitation and the potential to significantly affect these critical business operations should be prioritized for remediation. It’s also important to prioritize cases where executing a specific remediation action (for example, updating a software package on all PCs to the latest version) will have a significant risk reduction impact against common attack vectors being exploited by bad actors.  

People presented with a massive list of objectives often are overwhelmed to the point that no action is taken, or too few actions are taken to make a difference. Instead, presenting people with a list of specific actions to take first, next, and last, and specifying how these actions will directly affect business operations, lets people take action and feel a level of accomplishment. This can keep the team engaged. 

There is an art to reporting security metrics so that they speak the language of leadership and effectively connect the data from security tools and processes to key business objectives. It’s crucial to articulate the metrics well so business leaders understand the significance and recognize the true effect the security program is having. Without this understanding, security teams, budgets, and processes could be overlooked, which increases security risks to the company and could negatively affect brand reputation and customer trust.

Related Content:

• 7 Stats That Show What It Takes to Run a Modern SOC
• The 20 Worst Metrics in Cybersecurity
• Which Security Metrics Should I Use?
• 5 Tips on How to Build a Strong Security Metrics Framework
• Rethinking Enterprise Data Defense

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “7 Steps to IoT Security in 2020.”

As the CISO at Armis, Curtis Simpson is responsible for ensuring that the Armis product continues to maintain its high standard and vigilant focus on platform and customer security and privacy. Prior to Armis, he was the CISO at Sysco, a Fortune 54 corporation. … View Full Bio

Article source: https://www.darkreading.com/risk/how-to-get-the-most-out-of-your-security-metrics/a/d-id/1336859?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Privacy-mature companies complete sales more quickly, have fewer and less serious breaches, and recover from incidents faster, according to Cisco’s annual survey.

Companies that invest in privacy see an average return of 270% on their investments, with seven out of 10 companies seeing significant benefits from their privacy expenditures, according to an annual survey published by Cisco today.

In addition, more mature companies — as measured by a five-point accountability score — saw greater returns on their privacy investments, with high-scoring companies seeing an average benefit of 3.1 times return, compared to low-scoring companies, which saw an average benefit of 2.3 times return, according to the “Cisco Data Privacy Benchmark Study 2020.” The report, based on a survey of 2,500 security professionals familiar with their companies’ privacy practices, underscores that privacy programs are no longer just about avoiding fines but about building trust with customers, says Robert Waitman, director of privacy insights and innovation at Cisco.

“Privacy is not just about being minimally compliant with the laws, which have been changing and becoming more comprehensive. We are seeing other business value from our privacy investments,” he says. “Companies that made privacy investments saw fewer breaches, less costly ones, and less down time. That’s not a coincidence.”

Privacy and data security has grown to become an enormous issue for companies. The European Union’s General Data Protection Regulation (GDPR) has cost companies significantly: British Airways faces a £183 million (US$240 million) fine for website flaws that led to the harvesting of information on a half-million customers. Hotel chain Marriot also faces a significant fine — £99 million (US$130 million) — for a breach that affected 500 million guests of subsidiary Starwood Hotels. 

Overall, 82% of companies had a breach in the past year, according to the survey.

Yet businesses are just beginning to see mature privacy practices as a competitive advantage, Waitman says.

“Companies who may be taking the minimalistic approach, who are looking to just avoid fines from GDPR or other private actions and legislation — that is not the right approach,” Waitman says. “This is about enabling and building trust and loyalty with your customers to provide the business value that comes from having your privacy act together.

Cisco published the survey the day before World Privacy Day, Jan. 28, a decade-old holiday that focuses on promoting privacy and raising awareness of the issues around storing people’s data. The survey found that the largest benefits accrue to companies in the UK, with a 3.5 times return, and Brazil and Mexico, both with a 3.3 times return. Companies in India benefit the least but still estimated that the average return for their firms were 1.9 times.

Interestingly, the relative benefit from privacy investment does not change for small companies as compared to large companies. Small firms may have less need for comprehensive privacy programs, but they also tend to spend much less than larger companies.

“Small companies spend a little, get a little, and large companies spend a lot, get a lot,” Waitman says. “The ratio is kind of similar.”

The company found that large enterprises with 10,000 or more employees spent $1.9 million on privacy, and small companies of less than 500 employees spent $800,000, on average. More than 40% of businesses see benefits of more than double the amount spend on privacy efforts, according to the study.

The study’s findings extend Cisco’s 2019 privacy report, which found GDPR-ready firms had fewer data breaches. Firms prepared for the EU privacy regulations exposed an average of 79,000 files during a breach, compared to 212,000 files for companies not compliant with GDPR.

The reports are based on survey responses and security professionals’ estimates of the benefits of privacy programs.

In the end, companies still need to focus on serving their customers need rather than collecting data indiscriminately, Cisco’s Waitman says.

“Legislation has provided power back to the people in terms of controlling their data, to some extent,” he says. “The No. 1 complaint of consumers right now is that they do not know what is going on with how their data is being used by the people they share it with.”

Related Content:

• Companies’ ‘Anonymized’ Data May Violate GDPR, Privacy Regs
• Britain Looks to Levy Record GDPR Fine Against British Airways
• Marriott Faces $124 Million GDPR Fine in UK
• Cisco Study Finds Fewer Data Breaches at GDPR-Ready Firms
• Cisco CPO: Privacy Is Not About Secrecy or Compliance

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “7 Steps to IoT Security in 2020.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/risk/compliance/greater-focus-on-privacy-pays-off-for-firms/d/d-id/1336887?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

New York state senators have proposed two bills that would require government agencies to tell ransomware attackers to get lost.

The first bill, S7246, was proposed by Senator Phil Boyle on 14 January. The bill would keep government hands out of taxpayers’ pockets, restricting the use of taxpayer moneys when it comes to small cities or towns – with populations under 1 million – paying off attackers with tax money.

If passed, it would also set up a $5 million fund to help overhaul the IT infrastructures of such small towns.

From the bill, now under discussion in committee:

The Cyber Security Enhancement Fund that will make available grants and financial assistance to villages, towns, and cities with a population of one million or less for the purpose of upgrading the cyber security of their local government.

The second bill, S7289, was introduced by Senator David Carlucci two days later, on 16 January. It would prohibit government agencies from paying ransom in the event of a cyberattack against their critical infrastructures.

S7289 is likewise under discussion in committee, and it’s unclear which bill will make it to a vote in the state senate.

First state to join US mayors in the ‘bug off’ camp

We’ve seen mayors in US cities resolve to eschew paying ransom to get their systems back from attackers, but New York is the first state to make a move in that direction – and to back it up with actual (albeit only proposed, at this point) legislation.

In June 2019, the US Conference of Mayors passed a non-binding resolution to tell attackers to go suck on rocks. That body is made up of mayors from 1,407 US cities with populations of 30,000. In its resolution, the mayors cited at least 170 county, city, or state government systems that have experienced a ransomware attack since 2013, with 22 of those attacks having occurred in 2019 alone, including the cities of Baltimore (it was at least its second ransomware attack, having also been hit a year before that); Albany, New York; and the counties of Fisher, Texas and Genesee, Michigan.

Ransomware attacks against state and local governments, while on the rise, are underreported – largely because there’s no requirement that forces governments to do so.

The text for S7289 referred to one of those attacks that happened in Albany last month: on Christmas day last month, the Albany International Airport was targeted, paralyzing the airport. The attackers demanded a ransom in exchange for the return of data and restoration of the airport’s systems. Desperate, the airport complied, paying an undisclosed amount that was less than six figures.

We don’t want to keep doing this, the bill says. We don’t want to keep rewarding these crooks for these attacks. From the bill’s text:

When municipal corporations and government agencies comply with these ransoms, they incentivize cyber-attackers looking to make a quick buck. Prohibiting these entities from complying with ransom requests will remove this incentive and safeguard taxpayer dollars.

Will refusing to pay make them go away?

Probably not, at least initially. Bill Siegel, CEO and co-founder of Coveware – a security firm that helps in ransomware attack recovery and sometimes negotiates payments on behalf of victims – told ZDNet that attackers may be tempted to test lawmakers’ resolve:

I do not think it will staunch attacks on NY based municipal organizations in the short term, it may even increase them as ransomware distributors may try to test the resolve of these organizations.

What’s more, if one of the bills passes, there could well be serious harm done and potential liability for the state agencies, he said:

If a state were to pass a bill making payment of ransoms unlawful, then two large issues should be heavily considered. 1) What happens if a NY-based municipal hospital is attacked, and the downtime causes the loss of life that could have been avoided if they were allowed to pay? 2) Are the state’s municipal organizations adequately staffed and budgeted with [disaster recovery] plans, backup systems, and security programs to effectively repel and recover from an attack without creating material interruption to civic operations?

There haven’t been any deaths attributed to ransomware attacks on healthcare facilities, or prisons, or emergency service dispatching, or schools – yet. That could be attributed to simple luck, given the havoc such attacks have raised, including emergency patients having to be redirected to other hospitals, medical records rendered inaccessible or permanently lost, cancelled surgeries, postponed medical tests, interrupted emergency-call services, police losing access to criminal histories or warrants, jail doors that couldn’t be opened remotely, and schools losing access to data about students’ medications or allergies.

A $5 million grant to bolster local governments’ security posture would be a step in the right direction, but it’s likely just a drop in the bucket when it comes to adequately hardening defenses.

After all, there’s a long, long way to go. Case in point: in October 2019, an audit of the much-attacked city of Baltimore concluded that its data-storage was “mind-bogglingly bad” – as in, many staffers in the city’s IT department were storing files on their computers’ hard drives, rather than keeping properly backed-up data, stored in the cloud or off-site.

Keeping data properly backed up is one of the key requirements when it comes to protecting yourself from ransomware. Here are some other ways:

How to protect yourself from ransomware

• Pick strong passwords. And don’t re-use passwords, ever.
• Make regular backups. They could be your last line of defense against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
• Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
• Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off RDP if you don’t need it, and use rate limiting, 2FA or a VPN if you do.
• Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/M15zqIhc3yU/

Roundup Here comes a summary of this week’s computer security news beyond what we’ve already covered.

Montreal youth blamed for massive phone-swapping scheme

An 18-year-old man from Canada has been accused of stealing more than $50m in cryptocurrency using SIM-swapping attacks.

SIM swapping typically involves crooks tricking cellular network support staff to transfer victims’ smartphone numbers to the criminals’ own SIMs, and then using those numbers to reset passwords, or get two-factor authentication tokens, via text messages, and ultimately access and drain cryptocoin accounts.

Prosecutors in Montreal believe Samy Bensaci specifically targeted the cell numbers of people he knew were attending a conference on cryptocurrencies, and thus were more likely to have significant amounts of cash invested.

He was charged, released on bail, and ordered to stay with his parents.

Cisco has busy patch week

Admins using Cisco gear in their networks will want to head over to Switchzilla’s security portal and check for applicable updates among the latest batch of 28 patches.

Among the most serious are a critical fix for Firepower Management Center and high-priority patches in WebEx Meetings and IOS XR.

GE medical monitors found to have security flaws

Any time the US Department of Homeland Security gets involved with a bug disclosure, you should pay attention.

This time, the DHS is warning medical providers to immediately patch a serious of vulnerability in General Electric’s Carescape, ApexPro, and Clinical Information Center devices.

The bugs are exploitable over a network connection, meaning an attacker would have to be on the local network, or if for some reason the devices would need to be attached to a network that is remotely accessible. Hopefully, any network that these units are linked to is well-secured to begin with.

Either way, it would be wise to test and install the patches from GE as soon as possible.

US soldiers told to use encryption apps on deployment

American troops in the Middle East have been told to use officially-sanctioned encrypted text apps while in the field.

The Military Times says members of the 82nd Airborne Task Force Devil have been advised to lock down their text messages in order to prevent eavesdropping from the enemy.

Soldiers are being told to make use of either Signal or Wickr when sending messages over their government-issued handsets. These apps will be used in addition to VPNs for the data connections.

While the apps will provide a layer of security for the messages, the Times notes that they raise concerns over record keeping and transparency, as the apps could allow for communications to automatically be deleted.

Exploits arise for Microsoft RDP flaws

If you haven’t yet got around to installing Microsoft’s January patch release, now would be a good time to do so. Researchers have posted proof-of-concept exploits for two of the more serious flaws addressed in the release: CVE-2020-0609 and CVE-2020-0610.

Those bugs, present in the Windows RDP remote desktop software, would potentially allow an attacker to completely take over a targeted system by way of a poisoned network packet. As these are considered critical flaws, getting the patches tested and installed should be a top priority.

Uncle Sam gets poor review on data protection

The US federal government continues to struggle with it efforts to overhaul its IT security practices and policies. The State Department is the latest agency to get a bad grade on its cybersecurity audit.

Among the issues raised by the Office of the Inspector General were the department’s failure to hire two key security positions, a lack of lifecycle planning, and problems with financial reporting and identity management.

German car renter drops the details of three million people

Bad news out of Germany: one of the nation’s top car rental companies has suffered a massive data leak that includes payment card details on millions of people.

Heise reports that a whopping 10TB of data from rental biz Buchbinder were left setting out in an exposed database for several weeks.

Among the details included in the database were customer phone numbers, addresses, accident reports, emails, employee information, and in some cases payment information and bank details (but not credit card information, thankfully.)

While most of the exposed records were from Germany, there were also some details on customers in Austria, Italy, Slovakia, and Hungary.

Citrix extends patching effort for critical vulnerability

It’s the bug that just wouldn’t go away.

Days after issuing the first patches for the critical vulnerability in ADC and Gateway, Citrix has rolled out a second batch of updates for even more of its networking hardware.

This latest release extends the update to cover ADC and Citrix Gateway firmware versions 12.1 and 13.0, which were not addressed in the fixes posted earlier this week.

As the flaws are both being scanned for and exploited in the wild, admins will want to get the patches in place ASAP.

Intercept cofounder faces charges

Glenn Greenwald, one of the first journalists to report Edward Snowden’s revelations, faces criminal charges in Brazil on allegations of assisting criminal hackers. The Intercept, which Greenwald cofounded and edits, claims he is being unfairly targeted for reporting corruption in the ranks of the Brazilian government.

“The Bolsonaro government has repeatedly made it clear that it does not believe in basic press freedoms,” the publication claimed on Tuesday. “Today’s announcement that a criminal complaint has been filed against Intercept co-founding editor Glenn Greenwald is the latest example of journalists facing serious threats in Brazil.” ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/25/security_roundup/

There are important steps security teams should take to be ready for the evolving security threats to the IoT in 2020.

In the opening weeks of a new year, it’s reasonable to ask whether the security challenges to be faced in the year ahead differ from those in previous years. And whether or not the challenges differ, should organizations shift their defensive strategies, especially when it comes to operational technology (OT), Internet of Things (IoT), and critical infrastructure components?

“What we’re seeing emerging in general trends in cybersecurity is that it’s always been a pretty dynamic place, but now the attacks know no boundaries,” says Stuart Reed, vice president of cybersecurity at Nominet. And, he explains, those boundary-jumping attacks against OT can have an impact beyond data — hitting systems that have an immediate impact on human life and safety.

Security’s job is complicated by OT and IoT devices that weren’t designed with the level of security that’s now the norm in IT systems. “A lot of the control systems and the OT infrastructure were never, ever designed to be digitally connected anywhere else,” says Reed. But the continuing trend of digitalization, he explains, means that few OT systems can remain isolated for long.

With threats from both criminal and nation-state aggressors evolving, what steps should security teams take to protect the OT and IoT systems owned by their organizations? Dark Reading spoke to experts in the industry to ask what they would recommend for dealing with the IoT threats of 2020. Through the conversations we collected seven key considerations for security professionals looking to keep their OT systems as secure as possible in the months ahead — no matter how the threat landscape might change.

(Image: Poobest via Adobe Stock)

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/7-steps-to-iot-security-in-2020/b/d-id/1336872?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple