STE WILLIAMS

The potential case accuses North Korea, and suspected Chinese middlemen, of spearheading an $81-million theft from Bangladesh Bank.

The US is preparing potential cases against North Korea and Chinese middlemen for their direct involvement in last year’s $81-million Bangladesh Bank cyberheist, Reuters says, quoting a Wall Street Journal (WSJ) report.

North Korea officials may not be directly implicated, but the charge is likely to be of a foreign country directing the theft. Middlemen could face US Treasury sanctions, reports the WSJ.

It has long been suspected that North Korea was behind the Bangladesh Bank theft. Only recently did the US government go public about the case when Richard Ledgett of the National Security Agency made a reference to it. 

The February 2016 Bangladesh Bank theft involved an illegal transfer of $81 million from its account at the Federal Reserve using fraudulent SWIFT messaging. Investigations have been ongoing with the bank authorities, Fed, and SWIFT blaming each other for negligence. SWIFT has since seen a number of more bank thefts using its system.

Read full story here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/us-may-charge-north-korea-in-bangladesh-bank-cybertheft/d/d-id/1328465?_mc=RSS_DR_EDT

Password manager LastPass creates a workaround for a serious vulnerability affecting browser extensions in Chrome, Firefox, and Microsoft Edge.

Password manager LastPass has fixed a serious vulnerability in its browser extensions for Google Chrome, Mozilla Firefox, and Microsoft Edge. The flaw was discovered by Google’s Tavis Ormandy, reports Network World. It could have been exploited to access extensions’ internal commands and steal passwords or personal information.

LastPass has put a workaround in place to provide protection from malicious codes and plans to fully fix the flaw in updated versions.

Ormandy later reported another vulnerability in the Firefox extension, which LastPass said was linked to the first. The problem was immediately fixed in a new version of the extension 4.1.36a released the next day.

“No password changes are required of users at this time,” say LastPass developers.

Read details on Network World.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/lastpass-fixes-serious-security-flaw-in-chrome-firefox-extensions/d/d-id/1328466?_mc=RSS_DR_EDT

Risk management has become increasingly important, making it crucial companies have good relationships with their insurance company.

Cybersecurity risk management is undergoing one of the most important shifts in recent memory — but this shift is not being driven by the information security industry. Cyber insurance is emerging as a critical new risk management tool for companies and, according to Fitch, it’s the fastest-growing segment in property/casualty insurance. But what does this mean for information security professionals?

Corporate clients and insurance brokers from Allianz recently rated cyberrisk as the third most important corporate peril, above fire, natural catastrophes, and even macroeconomic developments. Too often, CISOs and information security teams have cursory engagement with their cyber insurer. This is bad for the CISO, bad for their insurer, and bad for the cyber resilience of the company.

Forty percent of information security professionals don’t fully understand the “characteristics and limits of the company’s cyber insurance coverage,” according to a study conducted by SANS, and only 14% of insurance broker respondents thought that CISOs fully understand and value the insurance.

Here are five ways CISOs should start engaging with their corporate risk managers, brokers, and insurance carriers today.

1. Understand what cyber insurance coverage your company already has purchased.
Coverage for cyberrisk is complicated because it can be purchased by itself or embedded into other insurance lines such as property, general liability, and crime policies. Knowing what is and isn’t covered is an important first step and will often require engagement with the risk management department and the company’s broker.

Many companies have notification requirements to get their insurer involved in case of a breach. At worst, information security departments should be aware of the policy and its requirements. At best, insurers should have seen a large number of breaches and can be a tremendous resource working through everything from coordinating vendors to offering advice and mobilizing response teams.

2. Get involved with risk managers in the cyber insurance purchase process and in insurance renewals.
Engaging with the information security organization can lead to better premiums by allowing the company to display the security culture that exists in the organization. A top-three broker reported that two airlines with similar cybersecurity postures achieved a 30% differential in the cyber insurance pricing, attributed to the confidence projected by an engaged cybersecurity team in the purchase process and the “culture of security” presented by the CISO.

CISOs are an important party in the insurer selection process. For example, a Fortune 2000 technology company was using a leading managed security services provider to oversee its cybersecurity. However, the vendor was not on the insurer’s incident response panel. This meant that in the event of a breach, the company would not be reimbursed for the additional breach response costs incurred with the managed security provider. Without engagement from the CISO, the company could have purchased a policy that prohibited their most trusted security partner from responding in a breach, which had the potential to slow down the speed of response in a crisis.

3. Proactively provide information in the underwriting process.
Providing security information to an insurer is often misunderstood as a game of “gotchas,” but it’s important to tell them everything. Insurers want to avoid bad risks so they will be on the lookout for practices that they deem risky and providing more information will enable more carriers to quote insurance. Think of it like an auction of a piece of property. You want as many bidders as possible, but providing only piecemeal information creates uncertainty and lowers participation.

Research sponsored by Advisen shows that insurance brokers are frustrated by divergent and sometimes conflicting expectations from underwriters. Cyber underwriting is an evolving discipline that’s slowly improving as the industry matures and adopts new data modeling and software tools to make better risk decisions. In the meantime, engaging proactively in the underwriting process and having patience for the questions that insurers are asking is an important step.

4. Security personnel should engage in a transparent dialogue about what security they don’t currently have.
It makes sense that an insurer covering the costs of a data breach wishes to provide incentives to companies to purchase leading data loss prevention software to protect that sensitive data. Similarly, if a company is insuring against ransomware, which is almost exclusively delivered via email, the implementation of email security filtering could be subsidized by the carrier. Companies should understand that their insurer can be a real partner in creating a more resilient cybersecurity program.

Carriers will often include free, trial, or discounted cybersecurity services to their clients, but this requires engagement from the information security team. Looking for security awareness training for employees? In some cases, insurers will pay for services from a cybersecurity organization. 

5. Security professionals should openly share prior breaches with their insurers.
It’s better for a company to illustrate its awareness of its breach history, the lessons learned, and plans to deal with future events. Too frequently, insurance carriers witness risk managers and information security leaders meeting for the first time in an underwriting meeting. To make matters worse, sometimes it’s the insurer informing the risk manager of previous breaches that he or she was not aware of. This doesn’t inspire confidence in the insurer, who could be on the hook for tens of millions of dollars in the event of a claim. Security professionals should be deeply engaged with risk management and insurance buyers.

Security professionals should not see insurers or underwriters as an unwelcome intrusion, second-guessing a company’s security protocols, but rather as a partner protecting the firm’s assets, sometimes with tens of millions of dollars of the insurer’s money on the line. It’s time for CISOs and insurers to take one step closer and embrace each other in a united front against cybercrime.

Related Content:

• In Cyber, Who Do We Trust to Protect the Business?
• IoT Liability: How Organizations Can Hold Themselves Accountable
• How to Use Share Customer Data without Damaging Trust

Pascal Millaire is Vice President at Symantec Corporation, the world’s largest cybersecurity company, and General Manager of the company’s Cyber Insurance Group. In that role, he is responsible for creating new underwriting, actuarial, and catastrophe modeling products that … View Full Bio

Article source: http://www.darkreading.com/risk/5-ways-cisos-could-work-better-with-their-cyber-insurers/a/d-id/1328461?_mc=RSS_DR_EDT

Security practitioners at one education software firm offer lessons learned from merging DevOps with security.

Image Source: Adobe Stock

The union between DevOps and information security stands to help organizations not only deliver software more quickly, but also finally achieve something that application security professionals have been chasing for years now: securing code much earlier in the software development lifecycle. According to recent numbers, high-performing IT teams that engage in DevSecOps work patterns need to spend 50% less time remediating security issues because they’re fixing problems throughout the entire lifecycle.

But achieving those kinds of gains requires that security professionals make big changes in attitudes, work habits, and communication methods, say two professionals from higher ed software developer Ellucian, who have helped the firm transform its development practices. Dark Reading recently caught up with Michele Chubirka, security architect, and Troy Marshall, DevSecOps and cloud reliability leader, to discuss what it takes to get into the DevSecOps groove.

[Learn more about DevSecOps during Interop ITX, May 15-19, at the MGM Grand in Las Vegas. To check out the other Interop security sessions, or to register, click on the live links.]

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: http://www.darkreading.com/application-security/7-steps-to-transforming-yourself-into-a-devsecops-rockstar/d/d-id/1328467?_mc=RSS_DR_EDT

Chinese phishing scum are deploying fake mobile base stations to spread malware in text messages that might otherwise get caught by carriers.

The Android scumware being spread isn’t new to China: known as the “Swearing Trojan” because of profanities in code comments, its authors are already under arrest. But the fake base station is a new vector, according to this research note from Check Point.

The base stations send SMS messages purport to be from China Telecom or China Unicom, offering a malicious URL apparently endorsed by a customer’s operator. Check Point says China’s Tencent has also seen a more conventional malware dropper in infected applications.

The trojan replaces the Android SMS application with its own, meaning it can steal message-based 2FA such as bank tokens; and it spreads from the infected user by sending phishing messages to victims’ contacts.

Check Point says it’s also seen Swearing use messages about work documents, photos/videos, app update notifications, and the perennial “nude celebrity” message.

Instead of command and control servers, the malware uses SMS to send information back to its masters, and since Tencent had reported arrests of people associated with Swearing, it looks like there are others associated with the campaign. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/23/fake_base_stations_spreading_malware_in_china/

Web tat bazaar eBay appears to be suggesting its readers adopt known-to-be-insecure practices when logging on to the service.

eBay has long offered customers the chance to get their hands on a hard token that generates one-time-passwords. But Krebs on Security reports that a reader received an email from eBay telling customers “We’re going to make 2 step verification more convenient by texting you a PIN instead of having you use your token.”

On the face of it, that’s not the worst idea in the world: it’s easy to forget to bring a hard token with you, but who leaves the house without their phone? Hard tokens also cost money, need occasional battery replacements, can break and generate other administrivial chores.

But there’s one big problem with eBay’s plan, namely that two-factor authentication (2FA) over SMS messages has been shown to be insecure. So insecure that the United States National Institute for Standards and Technology (NIST) last year recommended it be abandoned as an authentication technique.

NIST’s beef with 2FA-over-SMS is that TXT messages can be intercepted, making it possible for bad actors to sniff incoming one-time-passwords.

There’s a moderately-happy ending to this story, because eBay told Krebs it’s not giving up on other 2FA mechanisms and will shortly have more to say on the topic. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/23/ebay_dumps_hard_tokens/

Already having a hard time trying to convince advertisers to return, Twitter’s CEO Jack Dorsey is facing increased pressure to step down after it was revealed that a larger number of accounts than originally thought are likely to be fake.

Over the weekend, the UK’s Sunday Times reported that up to 48m – or 15% – of the social media giant’s 319m users were in fact bots.

That’s nearly twice the company’s own estimate that up to 8.5% of its accounts are managed by “bots”.

The paper’s figure reflected a University of Southern California study, which estimates that between 9% and 15% of Twitter accounts “exhibit social bot behaviors”. The study describes “social bots” as social media accounts that, instead of being managed by humans, are using technology to emulate human behavior: “controlled by software, algorithmically generating content and establishing interactions”.

The research team’s analysis revealed three distinct types of social bot:

• Legit-looking accounts that are promoting themselves, such as recruiters and porn performers.
• Spam accounts that are very active but have few followers.
• Accounts that automated applications to post content from other platforms, such as YouTube and Instagram, or post links to news articles.

While bots are often seen in a negative light, the researchers acknowledged that many social bots have a positive role to play in society, performing useful functions such as disseminating news and publications and coordinating groups of volunteers. On the other hand, they also point out that these social bots are increasingly being used to

… manufacture fake grassroots political support, promote terrorist propaganda and recruitment, manipulate the stock market, and disseminate rumors and conspiracy theories.

Twitter isn’t the only social media giant struggling with this problem. Last week, advertisers in the UK, including the UK government, boycotted Google after an investigation by The Times, sister paper to The Sunday Times, revealed that brands were being promoted next to jihadist videos on Google’s YouTube platform. Content from Mercedes-Benz and Marie Curie, among others, was being displayed next to content posted by supporters of Islamic State and other extremist groups.

Since YouTube advertisements generate as much as $7.60 for their posters every 1,000 views, the brands were likely to have unwittingly channeled money to terrorist supporters.

USA Today reports that Google has responded by promising to:

• Pull online ads from controversial content
• Give brands more control over where their ads appear
• Deploy more people to enforce its ad policy.

Philipp Schindler, Google’s chief business officer pledged in a blog post:

Starting today, we’re taking a tougher stance on hateful, offensive and derogatory content.

He also confirmed that the company will be “developing new tools powered by its latest advancements in AI and machine learning” to help it review questionable content more quickly.

Earlier today, The Drum reported that Twitter is also increasingly turning to automated technology to help it remove offensive material more quickly. Twitter, in fact, revealed this increased use of smart software in its biannual transparency report.

This comes as Facebook rolls out a new alert capability in an attempt to combat fake news. The new feature, according to the Guardian, flags content as “disputed”. It was trialed on a story that falsely claimed thousands of Irish people were brought to the US as slaves.

Attempting to share the story prompts a red alert stating the article has been disputed by both Snopes.com and the Associated Press.

Whether it’s fake news, extremist content, stock market manipulation or bullying, the social media giants have a responsibility to do everything in their power to remove inappropriate content from their sites. Keeping up with the wrongdoers will be a constant battle, but if they want their business models to work, they must give advertisers confidence that their brand will be shown in the best light and users confidence that they are interacting with appropriate and legitimate content.

We have yet to see whether they can keep up. Or are we seeing the beginning of the end of the social media era?

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/SBi--zt8gC8/

Your daily round-up of some of the other stories in the news

Pluto could be upgraded to planet status

Still upset about Pluto being downgraded from a planet in 2006? Eight planets not enough for one solar system? If so, you’ll be delighted with the news that a paper to be presented at the annual Lunar and Planetary Science conference in Houston by Kirby Runyon of Johns Hopkins University will not only argue for the reclassifying of Pluto (pictured) as a planet, but also propose promoting more than 100 other solar system objects to planet status.

Runyon argues that Pluto “has everything going on on its surface that you associate with a planet … there’s nothing non-planet about it”. The proposed new definition of a planet says it’s a “sub-stellar mass body that has never undergone nuclear fusion” that has enough gravitational heft to to maintain a roughly round shape.

Meanwhile, space science got a boost on Wednesday as US President Donald Trump authorised funding for a crewed mission to Mars, adding such a mission as a key objective for NASA. The US space agency has been allocated more than $19bn for the fiscal year that starts in October, down slightly from the current year, but, said NASA, the agency was grateful “to a bipartisan Congress for its thoughtful consideration of the agency’s path forward”.

Nest cameras vulnerable to Bluetooth attack

We’ve written many times about vulnerabilities in connected security cameras, but the latest security holes, discovered by security researcher Jason Doyle, in Google’s Nest Cam, Dropcam and Dropcam Pro, could be exploited by a burglar close to your house – within Bluetooth range – rather than being compromised remotely.

Doyle has published details of the vulnerabilities on Github, but the short version is that two rely on sending what Engadget describes as excessively long WiFi data via Bluetooth to trigger a memory overflow that makes the camera crash and then reboot. The third tricks the camera by making it temporarily disconnect and look to connect to another network.

What this means is that the camera’s recording to the cloud will be temporarily disabled – giving the tech-savvy burglar time to go about their nefarious business. Doyle told the Register that the flaw hasn’t been patched, and points out that because you can’t turn off Bluetooth, you can’t protect yourself against it until the firmware is updated.

“There doesn’t seem to be any reason why [Nest] leaves Bluetooth on after setup unless they need it for future or current integrations,” said Doyle. “Some cameras like the Logitech Circle turn Bluetooth off after setting up WiFi.”

Google to roll out selective location sharing from Maps

Google Maps will shortly be rolling out a feature that allows users to temporarily share their location with their contacts – and the search giant promptly ran into trouble, with some pointing out that it’s a feature that could potentially be abused by stalkers and worse.

When it rolls out, you’ll be able to fire up Google Maps on your phone, tap the blue dot marking where you are, and then tap “share location”, choosing how long to share it and who to share it with.

While the user has control over it, concerns were raised that it could fuel suspicion in abusive partners if someone refused to share their locations. However, on the day when four people died as the heart of London came under attack and Facebook activated its “safety check” feature for Londoners, others welcomed the feature.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/WxLmsTEP-hw/

Malware posing as legitimate firmware for Siemens control gear has apparently infected industrial equipment worldwide over the past four years.

The cyber-nasty is packaged as software to be installed on Siemens programmable logic controllers (PLC), we’re told. At least 10 industrial plants – seven in the US – were found running the infected firmware, a study by industrial cybersecurity firm Dragos claims.

According to the Texas-based biz, this particular malware was specifically thrown at industrial control equipment. Exactly what it does, or did, is not explained, although it is described as “crimeware”. Dragos CEO Robert Lee writes:

Starting in 2013, there were submissions from an ICS environment in the US for Siemens programmable logic controller control software. The various anti-virus vendors were flagging it as a false positive initially, and then eventually a basic piece of malware. Upon our inspection, we found … variations of this file and Siemens theme 10 times over the last four years, with the most recent flagging of this malicious software being this month in 2017.

In short, there has been an active infection for the last four years of an adversary attempting to compromise industrial environments by theming their malware to look like Siemens control software. The malware is simply crimeware but has seemingly been effective.

This malware is separate to common-or-garden adware and bank-raiding Trojans that find their way onto PCs. Dragos conservatively estimates that 3,000 industrial sites a year are infected by traditional cyber-pests. These infections were largely opportunistic Trojans – such as Sivis, Ramnit, and Virut – brought in by staff using infected USB sticks.

Dragos revealed its findings during a keynote at the SANS ICS Security Summit in Orlando, Florida.

Edgard Capdevielle, chief exec at industrial control security specialists Nozomi Networks, said: “That ICS themed malware exists is not surprising, but it is concerning. The reality is that ICS networks today face all the same security challenges as every other IT network, but lack similar security options.

“Historically ICS was designed to be completely segregated and confined by physical boundaries. However, each new IP address punches another hole in the metaphorical wall that separates Information Technology (IT) and Operational Technology (OT). Having established IT connectivity, it’s difficult to put the genie back in the bottle and each of these avenues is a potential point of weakness that can be compromised – by hackers burrowing in or malware (such as ransomware) detonating internally and then radiating out.”

Andrew Cooke, head of cyber consulting at Airbus Defence and Space CyberSecurity, added: “Malware is prevalent in a wide range of industrial systems, often spread by an infected USB stick or by unauthorized remote access. But while the majority of malware found in these systems is low level, it can still pose a serious risk for the organizations concerned. Sophisticated attackers often use these methods to gain valuable intelligence about the way that a system is operated, configured and run.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/22/malware_siemens_plc_firmware/

Facial recognition technology represents a valuable, and likely inevitable, method of identification for cops and Feds. Unfortunately, it’s largely unregulated, error prone, and insecure.

During a hearing held by the US House Committee on Oversight and Government Reform on Wednesday, Chairman Jason Chaffetz (R-Utah) acknowledged the potential utility of facial recognition technology even as he expressed concern about the way it is being used.

Chaffetz said the technology makes mistakes, with one in seven FBI facial recognition searches incorrectly returning a list of innocent people as matches, despite the presence of the actual matching image in the database. Chaffetz also expressed doubts about the government’s ability to secure such data. “I don’t believe they can keep all this information locked down and secure,” he said.

At issue is whether US citizens can avoid being subject to facial recognition scans in public and which laws will govern such systems.

“Is it the right public policy to populate a database with everybody’s face in it…or [just those] who have ‘earned it’?” mused Chaffetz.

The hearing comes on the heels of a May 2016 Government Accountability Office report, “Facial Recognition Technology,” which happens to include a spoiler in its subtitle: “FBI Should Better Ensure Privacy And Accuracy.”

The GAO reviewed the FBI’s Next Generation Identification-Interstate Photo System (NGI-IPS) and found that the agency failed to publish data on the privacy risks, failed to adequately evaluate the error rate of the technology, and failed to assess the accuracy of systems operated by external partners, such as states and other federal agencies.

Legislators also revisited the findings of a report published last year by Georgetown Law’s Center on Privacy and Technology. According to that report, the faces of 125 million US adults have been stored in criminal facial recognition databases, most of them innocent of any crime.

EFF senior staff attorney Jennifer Lynch during her testimony observed, “An inaccurate system will implicate people for crimes they didn’t commit,” shifting the burden onto those individuals to prove their innocence. And those falsely implicated are more likely to be minorities because of their disproportionate representation in facial recognition databases, Lynch said.

Lynch urged the committee to introduce legislation to require a warrant for accessing non-criminal facial recognition databases and for using real-time facial recognition tracking.

Plans for that are already underway. Earlier in the hearing, Jim Jordan (R-Ohio) said he was working with lawmakers including Ted Lieu (D-Ca.) to developing a legal framework that will limit how facial recognition is used.

In prepared remarks, Alvaro Bedoya, executive director of the Center on Privacy Technology at Georgetown Law, said law enforcement agencies in Chicago, Dallas, Los Angeles, New York and West Virginia either have brought real-time facial recognition systems, have announced plans to use the technology, or are actively exploring it. An agency in Seattle has such as system, Bedoya said, but does not use it for real-time identification.

Responding to questions during the hearing, Bedoya added that about a quarter of police body camera vendors are making provisions to implement facial recognition support in their devices.

Bedoya concluded his remarks on an optimistic note. “We do not need to choose between safety and privacy. Americans deserve both,” he said.

In China, meanwhile, authorities have deployed face scanning to limit excessive use of toilet paper. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/22/facial_recognition_tech_questioned/