STE WILLIAMS

Banks around the world are pretty confident about their security, it seems – but what is that confidence built on?

According to a report from Accenture outlining the banks’ attitude to their security, 73%  of respondents considered that security was embedded in their culture – but on average they had 85 targeted breaches per year, one third of which are successful.

The banks’ confidence is laid bare in some of the statistics. Managers believed that security was achieving genuine business results: 93% said it was protecting customer details, 89% said it protected company information, 78% felt it prevented service disruption and 76% believed it protected the bank’s reputation. And yet the statistic on targeted breaches boils down to at least one successful attack per month.

Also striking is how long it can take to detect a breach. “The length of time taken to detect these security breaches demonstrates that the attackers are spending considerable time inside the organizations,” says the report. “59% of banking respondents admit it takes “months” to detect successful breaches, while another 14%t identify them “within a year” or longer.”

Added to the fact that 48% believed the worst threats come from malicious insiders and it becomes surprising that managers seem to be so sanguine. Accenture’s answer is for the institutions to assess their security more thoroughly and then go through some simulation exercises – tough internal questioning and a holistic approach.

Banks do fall foul of hackers, as Tesco Bank did in the UK last year.  That said, they are not the most vulnerable; the UK government’s Cyber Security Survey 2017 identifies other sectors in the top three: information, communications or utilities (62%), administration or real estate (62%) and professional, scientific or technical services (60%). The difference is that bank data will by definition concern other people’s money the whole time.

Javvad Malik, security advocate at AlienVault, believes it’s to do with banking culture. Banks have had to put many changes in due to security and they’ve had to do it very quickly, he points out:

In doing so though, many legacy processes and disciplines have simply been lifted and shifted into the digital era. While this may work well for some aspects, such as the convenience of online banking – security hasn’t always been modernised accordingly.

This combines with the view of Alex Mathews at Positive Technologies, who fears attacks would increase.  He says:

Banks use old reactive information security approaches and out-of-the-box protection that doesn’t work. At the same time, hackers, drawn to easy money, start replicating successful attacks.

It’s perhaps unsurprising that financial institutions, or any repository of money, is going to be a target for hackers at some point. Nor does it come as any surprise that the banks are investing in security. However, that they’re apparently confident of their security might be more of a surprise given what’s revealed in this survey.

Follow @NakedSecurity
Follow @GuyClapperton

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/-XRzObTLn_w/

In one of the more curious cybercrime announcements of recent times, Interpol’s Asian centre says it has “identified” 8,800 servers used as command control (C2) for all sorts of bad things including DDoS attacks and distributing ransomware and spam.

You read that correctly. Interpol hasn’t disrupted these servers, merely passed information on their whereabouts and malevolent purpose to police forces in eight countries, including Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam.

The operation isolated the C2 by working back from 270 websites infected with malware, assisted by intelligence and know-how from a number of cybersecurity companies.

Added Interpol:

Among them were several government websites which may have contained personal data of their citizens.

Individual criminals were also identified in Nigeria and Indonesia, which hints that arrests might be forthcoming.

It sounds like a modest achievement until you remember that Asia is a favoured geography for malware hosting infrastructure (including servers used to attack other parts of the globe) but, historically, underwhelming levels of cross-border co-operation.

If action at national level in the countries affected eventually sees the servers disappear forever, it’s not something to be sniffed at.

The bigger picture is that Interpol’s Global Complex for Innovation (IGCI), opened in Singapore in 2015, is signalling that it’s up and running and able to make a difference – however emblematic.

Cybercrime can be mitigated by technology, of course, but few doubt importance of going after it at the roots, both the servers and the people who run and profit from them.

It’s a massive challenge because these people can base themselves anywhere in the world, and introducing legal hazard into their lives requires the sort of co-operation police forces and governments aren’t used to.

Founded as long ago as 1923 as the International Criminal Police Commission (ICPC), Interpol is turning out to be a useful tool in the battle against cybercrime.

Cybersecurity companies like it because its regional centres act as an independent broker that allows them to put aside commercial considerations. Police forces value it because it means they can have a relationship with one centre instead of possibly dozens of national operations.

But its biggest significance is it gets the private and public sectors to work together, the former with intel and the latter with legal authority.

Recent Interpol cybercrime operations have included disrupting the Avalanche botnet late last year, and the takedown of the Simda botnet two years ago. Between times were the arrests of individuals accused of being behind the infamous DD4BC DDoS extortion racket, and a global operation across Interpol’s divisions to rid the world of the one-million strong Dorkbot botnet.

Only days ago, Europol’s European Cybercrime Centre (EC3) announced it had coordinated an operation between UK and Spanish police that saw the arrest of five people accused of distributing Remote Access Trojans (RATs) and keyloggers.

We should interpret the identification of 8,800 C2 servers as good PR for Interpol but also, to quote Interpol’s chief superintendent Chan, “a blueprint for future operations”.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/OTnsvlSdP_Y/

Your daily round-up of some of the other stories in the news

Plucky space probe survives first Saturn dive

Hours after beginning the first of its 22 dives through the rings of Saturn before heading for a final, planned crash into the surface of the planet, the Cassini probe re-established contact with Earth, said NASA on Thursday.

Any of the 124,000kph dives through Saturn’s rings, which are made of rock and ice, could prove fatal for the probe if it were hit by the particles of the rings, although engineers were hopeful it would make it through the gap successfully. The first dive took the probe to within 3,000km of the tops of Saturn’s clouds.

Earl Maize of NASA said: “No spacecraft has ever been this close to Saturn before.” As a precaution, Cassini, which blasted off from Earth in 1997 and arrived at Saturn in 2004, was oriented so that its 4m-across dish-shaped antenna acted as a shield to protect it from the particles in the rings as it hurtled through them.

The downside of that, however, was that it was out of contact with scientists back on Earth during the dive. “I am delighted to report that Cassini shot through the gap just as we planned and has come out the other side in excellent shape,” added Maize.

Cassini’s next dive is scheduled to take place on May 2.

Mexico bans ISPs from blocking access to pirate sites

In a move that is the antithesis of attempts to block content-pirating resources in countries such as the UK, Mexico’s Supreme Court of Justice has ruled that the government can’t order ISPs to block access to sites that provide access to copyright-infringing material because not only is legitimate content also blocked, but also the move violates the public’s freedom of expression.

Torrentfreak reports that the ruling is the result of a court battle that began in 2015 when Alestra, an ISP, was ordered to block access to a music downloads site that was aimed at the Mexican audience.

Alestra appealed, arguing that the order also blocked access to legitimate music. The Supreme Court agreed, and what it now means is that anyone seeking to block Mexicans’ access to content will have to be much more specific and targeted about their legal attempts to do so.

Spooks denied access to Twitter user data

Twitter came under fire from the UK government again on Wednesday when Downing Street accused the social media platform of shirking its responsibility to join the fight against terror.

Downing Street’s protest came after Twitter decided to block intelligence agencies’ access to some user data via a third-party service that other businesses also use to access the data.

The FT reported that the UK government had said that “the government position is that the fight against terrorism is not just a matter for the police and security services – social media and tech companies have a role to play too.”

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

 

 

 

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/fR8Skhvj3vE/

Seven in ten UK universities have admitted falling victim to a phishing attack in which an individual has been tricked into disclosing personal details via an email purporting to be from a trusted source.

The figure comes from a Freedom of Information (FoI) request by Duo Security to 70 universities across the UK, of which 51 responded. Seven universities, including those with GCHQ-certified degree courses – Oxford and Cranfield University – reported they had been targeted more than 50 times in the 12 months prior to November 2016.

The findings, released Wednesday, follow a recent warning from Action Fraud, the UK’s fraud and cybercrime reporting centre, about a phishing scam specifically targeting UK university staff. The bogus email claims the recipient is due for a pay increase, before directing them to click on a link and enter financial details and university logins.

Henry Seddon, vice president EMEA for Duo Security, commented: “The challenge is that phishing attacks are increasingly sophisticated – a targeted spear phishing attack can be particularly difficult to spot – but they can ultimately compromise the security of the entire network. They open the doors to hackers, with stolen credentials, to access an organisation’s system virtually undetected, posing as an authorised user. Worryingly, phishing is now the most popular way of delivering ransomware on to an organisation’s network.”

More details on the FOI – alongside advice on avoiding phishing attacks – can be found in a blog post by Duo Security here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/27/uk_uni_phishing_foi/

Security researchers claim to have uncovered a variety of serious security holes in a heavily touted secure email server technology. Nomx, the firm behind the device, strongly disputes the claims and has challenged researchers to a hacking challenge, involving the creation of an email account on a designated remotely hosted nomx device.

Nomx launched its email server hardware at the CES trade show in Las Vegas back in January. Its marketing trumpets that “nomx ensures absolute privacy for personal and commercial email and messaging” adding, “Everything else is insecure”.

After an inspection of the hardware, researcher Scott Helme claimed he had quickly uncovered all sorts of shortcomings.

The device is running standard mail server software on a Raspberry Pi, most of which is outdated, claimed Helme. Worse yet, nomx’s web interface presents a serious CSRF (Cross-Site Request Forgery) vulnerability, he alleged. In addition, the device can’t receive updates, a basic security requirement, he said. These and other flaws are detailed in a long blog post (complete with screenshots and other details) here.

“They make some very bold claims but the device is awful,” Helme told El Reg. “I have a full remote compromise.

“There are three different ways to exploit the CSRF, all of which they claim to have patched but [they] haven’t made a patch available to me.”

The range of potential exploits on the device is extensive, according to Helme.

“I can read your emails, delete your emails, send emails, [or] create my own email address on your device to log in and use,” he said.

Will Donaldson of nomx strongly disputed all of this, claiming that Helme is trying to discredit nomx – which Helme denies. Donaldson said that nomx had addressed the CSRF issue highlighted by Helme, the impact of which he also disputed.

“The CSRF vulnerability he disclosed, if present on any nomx device, could potentially have allowed access if the users were on the management page of the nomx device and visited a hacked page or malware site,” Donaldson told El Reg in a lengthy email. “With routine email use, it did not have any relevance and could not occur unless the management page was accessed while simultaneously going to a third party website.”

He added: “We’ve resolved that issue with any of our users who could have been affected and no longer provide that version of nomx.”

Helme responded: “They claim to have resolved the CSRF issue but haven’t provided me with the update or details on how they did it. I can’t see any update mechanism or feature on the device.”

Professor Alan Woodward, who worked with Helme in analysing the device as part of an investigation initialised by BBC consumer tech branch Click, told El Reg: “The only part that could be considered ‘different’ to normal email servers is the box-to-box communication. However, as far as I can tell this uses a standard part of Postfix: transport tables.

“I had assumed initially that there was going to be some new protocol with out-of-band comms for key exchange or similar. But it’s just an email server using TLS with locally held IP addresses for where to send specify email traffic,” he claimed.

What’s in a name?

The name nomx (no mail exchange) was chosen for the kit because it is designed to skip vulnerable third-party mail exchange servers.

Donaldson offered a description of nomx’s design aims. “Our primary goal is keeping messages off vulnerable third-party servers. We do that by forcing emails to go through certain routes on the internet instead of using traditional email relays that copy these messages and are vulnerable to a host of issues.

“Scott [Helme] has attempted to discredit nomx by stating that is simply ‘Postfix on a Pi’. That doesn’t actually represent nomx – which provides a series of services and protocols that when used together resolve the vulnerabilities of the third party servers.”

The number of nomx accounts that have been compromised since inception is nil, according to Donaldson.

Professor Woodward said the security questions around nomx raise a wider point about whether potential buyers can trust promises made by security vendors in general.

“My concern is that users may take much of what is claimed at face value – it is a classic example of how ‘security’ is unregulated and that the main group holding vendors to account are ethical hackers,” he said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/27/nomx_insecurity/

Hajime – the “vigilante” IoT worm that blocks rival botnets – has built up a compromised network of 300,000 malware-compromised devices, according to new figures from Kaspersky Lab.

The steadily spreading Hajime IoT worm fights the Mirai botnet for control of easy-to-hack IoT products. The malware is billed as a vigilante-style internet clean-up operation but it might easily be abused as a resource for cyber-attacks, hence a growing concern among security watchers.

Hajime, like Mirai before it, takes advantage of factory-set (default) username and password combinations to brute-force its way into unsecured devices with open Telnet ports. The malware was first discovered [PDF] by security researchers at Rapidity Networks in October 2016. Since then it has spread steadily but inexorably. Most of the targets have turned out to be Digital Video Recorders, followed by webcams and routers, according to Kaspersky Lab.

Hajime avoids several networks, including those of General Electric, Hewlett-Packard, the US Postal Service, the United States Department of Defense, and a number of private networks. Infections had primarily come from Vietnam (over 20 per cent), Taiwan (almost 13 per cent) and Brazil (around 9 per cent).

The resiliency of Hajime surpasses Mirai, security researchers say. Features such as a peer-to-peer rather than centralised control network and hidden processes make it harder to interfere with the operation of Hajime (meaning “beginning” in Japanese) than comparable botnets.

Botnets of compromised devices can be harnessed for a variety of cyber-crimes ranging from DDoS attacks on targeted web sites to running credential-stuffing attacks or scanning websites for SQL injection vulnerabilities. The malware – which is not doing anything malign, at least for now – displays a message that says a “white hat” is “securing some systems”. The worm blocks access to ports 23, 7547, 5555, and 5358, common entry points for the rival Mirai worm and other threats.

There is no attacking code or capability in Hajime – only a propagation module. Despite its (current) benign state Hajime is a still concern, not least because the malware’s real purpose remains unknown.

“The most intriguing thing about Hajime is its purpose. While the botnet is getting bigger and bigger, its objective remains unknown. We have not seen its traces in any type of attack or additional malicious activity. Nevertheless, we advise owners of IoT devices to change the password of their devices to one that’s difficult to brute force, and to update their firmware if possible,” said Konstantin Zykov, senior security researcher at Kaspersky Lab. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/27/hajime_iot_botnet/

Microsoft received 0-499 surveillance requests from January to June 2016, correcting an earlier report stating orders spiked to 1,000-1,499.

Microsoft has updated its latest biannual transparency report to confirm it received between 0 and 499 orders for disclosures of customer content between January and June 2016 under the Foreign Intelligence Surveillance Act (FISA). It initially reported receiving 1,000-1,4999 requests.

The update is a significant change from Microsoft’s earlier report, which indicated a major spike in requests during the first half of 2016. This means there was no change in the amount of requests between the previous reporting period (July – Dec 2015) and the most recent.

Other data disclosed remains accurate. The orders seeking content disclosure affected 12,000-12,499 user accounts, a drop from the 17,500-17,999 accounts affected in the previous time period.

Microsoft included the FISA data in its latest biannual transparency reports, which were released along with a national security letter from the FBI as part of the USA Freedom Act.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/threat-intelligence/microsoft-updates-foreign-surveillance-request-count/d/d-id/1328747?_mc=RSS_DR_EDT

A call center in India was used to scare US residents with threats of imprisonment and deportation in a ruse that impersonated US officials.

With stolen data and a call center based in India, a group of thieves impersonated Internal Revenue Service and US Citizenship and Immigration Services officials to scare money out of US residents.

Ashvinbhai Chaudhari, 28, plead guilty to one count of conspiracy to commit money laundering in the case, the Department of Justice announced Wednesday. Chaudhari and his co-conspirators used information from data brokers to create a ruse where Indian call center operators would impersonate IRS and immigration officials and contact US residents to threaten them with arrest, imprisonment, fines, or deportation unless they paid money they allegedly owed the government.

The victims were instructed to make payments by wiring money or purchasing stored value cards. Once the funds were received, the call centers would use a network of “runners” located in the US to liquidate and launder the money, according to the DOJ.

Chaudhari, an Indian national who resided in Texas at the time of the theft, is one of 55 other individuals who have been charged in the case. He is scheduled to be sentenced on July 21. This case is the latest example of the rapid rise in call center fraud, which spiked 113% in 2016.

Read more about the call center case here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/endpoint/irs-and-immigration-officials-impersonated-in-call-center-scam/d/d-id/1328750?_mc=RSS_DR_EDT

A murdered woman’s Fitbit data indicates her husband may have lied about her being shot to death by a masked intruder who, he’d claimed, had zip-tied him to a chair and calmly cut him up… without leaving any scent anywhere in or around the house that a police dog could sniff out.

According to court documents, the woman, Connie Dabate, was shot dead in her Ellington, Connecticut home on December 23 2015. The weapon used to murder her was a .357 Magnum that her husband, Richard, had bought months earlier.

As the warrant affidavit describes, an emergency worker who responded to a call at the couple’s house arrived to find Richard Dabate on the floor of his kitchen, one leg and one wrist zip-tied to a folding chair, with another zip tie around his neck. He said that the supposed intruder was still in the house. Dabate was bleeding from shallow, parallel lacerations.

Dabate’s story went like this: in the morning, his wife went to the gym for a spin class. He got in his car to drive to work. But before he got there, he realized he’d forgotten his laptop. He was also alerted by his home alarm.

When he returned home, Dabate said, he found that a door was ajar. He went into the house and heard noise coming from the second floor, but he figured it was the cats. He alleges that when he went upstairs to investigate, he wound up struggling with a masked intruder – a husky, 6’2″ brute in a camouflage outfit and mask. Dabate alleges that his wife came home during the struggle. He yelled at her to get out of the house, he said, but the attacker tumbled down the stairs into the basement, where Connie had his gun. He heard a shot go off, and he was paralyzed by the noise.

Richard Dabate’s story also included his using a blowtorch to set the intruder’s mask on fire, crawling up the stairs from the basement (still tied to the chair), pressing a panic button on his alarm, and then hurling himself to the stovetop to get his phone and call 911, the emergency number.

Connie’s Fitbit disagrees with his timelines.

Detectives conducted a months-long investigation that found that Richard Dabate had tried to cash in Connie’s $475,000 life insurance police five days after the shooting (his request was denied), that he’d withdrawn more than $90,000 from Connie’s investment account days after her murder; that he’d gotten his girlfriend pregnant and told her that he was planning to divorce Connie (with whom he had two sons); that his wife apparently had no clue about the pregnancy; and that the couple had fought about finances.

The investigation pulled in an array of digital evidence, much of which undercut Dabate’s story, including records from the alarm company that didn’t back up his claim of receiving a home security alert while he was driving to work.

State police got search warrants for the Dabates’ cellphone records, computer records for Richard Dabate’s laptop, Facebook records for both of them plus the pregnant girlfriend, text messages, and Fitbit records for Connie Dabate.

According to the warrant, the digital evidence they found included a December 2014 entry in the “Notes” section of Connie Dabate’s phone, titled “Why I want a divorce”. Items on that list included claims that Richard Dabate took money “from a lot of accounts that don’t belong to him,” is an unfit parent, is uncaring, doesn’t come home on time and “acts like a kid constantly”.

He’d also taken out a credit card without his wife’s knowledge and used it to pay for flowers for his girlfriend, as well as charging more than $1,200 at a strip club and stays at a nearby motel.

And then there was the Fitbit data trail.

According to her fitness tracker – which she’d been wearing because she’d planned to go to a YMCA fitness class that morning – Connie’s last movements inside the Dabate’s home were at 10:05. That’s nearly an hour after her husband told detectives that she’d been shot by a masked intruder.

The Hartford Courant talked to Lancaster, Pa., district attorney Craig Stedman about the use of health tracker data in criminal investigations. “To say it’s rare to use Fitbit records would be safe,” he told the newspaper. However, he added that the Fitbit

…is an electronic footprint that tracks your movements. It is a great tool for investigators to use. We can also get the information much faster than some other types of evidence such as DNA tests.

And while it’s rare to use personal health device data in criminal investigations, we’ve seen it before. In September 2016, pacemaker data helped to indict an alleged arsonist.

According to court documents, a cardiologist who reviewed the pacemaker’s data determined that it was

…highly improbable [alleged arsonist Ross] Compton would have been able to collect, pack and remove the number of items from the house, exit his bedroom window and carry numerous large and heavy items to the front of his residence during the short period of time he has indicated due to his medical conditions.

We’ve also seen Arkansas police trying to get Amazon to help them get data from an Amazon Echo they found at a murder scene after a man was strangled in a hot tub.

Besides prosecutors and local police, the government is also quite interested in the information they can gather from connected medical devices… and appliances… and toys… and, well, any and all data that can be monitored and collected courtesy of the IoT.

Richard Dabate is out on bail. The New York Post reports that his next court date is set for Friday and that he’s been charged with felony murder, tampering with evidence, and providing a false statement.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/WxxRFQTlQWM/

Two chaps in the UK have admitted stealing more than 150,000 customer records from TalkTalk.

Matthew Hanley, 22, and Connor Douglass Allsopp, 20, both from Tamworth, copped to charges in connection to the 2015 attack on the broadband ISP’s systems and subsequent attempts to sell people’s personal data to fraudsters.

Hanley pleaded guilty to three charges of violating the Computer Misuse Act and one charge of supplying an article for use in fraud, while Allsopp pleaded guilty to supplying an article for use in fraud and supplying an article intended for use in the commission of an offence.

The pair were among a group of four arrested by UK police in connection with the TalkTalk attack. Along with Allsopp and Hanley, Daniel Kelley, 19, of Wales and a juvenile from Norwich were nabbed for the heist.

According to Met Police, Hanley had attempted to hide traces of the attack from authorities by encrypting some data and wiping the rest. Instead, police say they accessed his social media accounts to get logs of conversations he had on the attack.

The police used news of the guilty pleas to take a victory lap.

“Hanley thought that he was being smart and covering his tracks by wiping his hard drives and encrypting his data,” said Detective Chief Inspector Andy Gould of the Met Police Falcon cybercrime unit.

“But what our investigation shows is that no matter how hard criminals try to conceal their activity, they will leave some kind of trail behind.”

Allsopp, meanwhile, admitted to police that he had supplied details on the vulnerabilities in TalkTalk’s website that were exploited to get to the customer records. He then acted as the fence for the stolen data, attempting to sell it off to crooks.

The pair are set to be sentenced at the Old Bailey on May 31. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/27/talktalk_hack_duo_cop_pleas/