STE WILLIAMS

If you’re not yet familiar with Magecart, you should be. On May 3, it was revealed that hackers used it to steal payment info from hundreds of online college bookstores. By some estimates, Magecart attacks have resulted in the theft of more credit card information than the high-profile breaches at Home Depot and Target. Beyond the college bookstores, it has hit the likes of Ticketmaster, British Airways, My Pillow, and Newegg in the last year alone. It’s time you got up to speed on the topic.

Magecart (pronounced like “age-cart,” but with an “m” at the beginning) is a method used to attack the payment systems of online vendors. It is a credit card skimmer (like those attached to the magnetic stripe readers at gas pumps) that intercepts card numbers and information when a payment card is swiped at the point of sale. The data is then saved or transmitted to be used illegally later. However, unlike at the gas pump, there is almost no way for a consumer to determine that Magecart skimming is about to take place. There is no physical manifestation of Magecart and it is not always easy to catch, even for knowledgeable IT professionals, because it takes advantage of universal code and other applications not typically related to payments.

Since first appearing in 2014, Magecart has been adapted by several different groups and for various targets. Each iteration tries to adapt to whatever defenses it encounters and seeks to exploit new vulnerabilities, making it difficult to effectively predict and stop. Leading researchers, like Yonathan Klinjsma, believe the various Magecart breaches have been carried out by at least 12 different groups since the method was first used and have noticed the groups moving beyond credit cards to steal credentials and administrative information as well.

Generally speaking, payments over the Web are relatively secure, with vendors using PCI DSS-compliant systems. As companies look to cut costs and increase efficiency, many use open source code to simplify the coding process and make it more uniform across the board. Others use third-party vendors to handle their payment systems. Although not necessarily bad ideas, these solutions present enterprising hackers with an opportunity to exploit common weaknesses and employ the Magecart attack.

The Newegg.com Breach
Despite not yet being a household name, Magecart is a growing problem. Last year’s breach involving Newegg.com illustrates what Magecart does and how it works. According to Volexity Threat Research, on August 13, 2018, the Magecart attackers registered a domain name called neweggstats.com (indicating that the Newegg website was likely compromised beforehand). That same day, the attackers obtained an SSL certificate enabling the new domain to have an air of legitimacy when browsers communicate with it. The skimming started three days later when hackers added eight lines of malicious code to the payment page and continued for almost a month before it was removed.

More specifically, the Magecart attackers inserted malicious JavaScript code on a single page presented during checkout. To get to that page, a customer had to put an item in the cart and input shipping information. At that point, the customer was taken to the payment page that contained malicious code. Once the customer input their information, it was transferred to a Magecart drop server where the back end of the skimmer saved the information. Once attackers accumulated a significant amount of credit card information (about 500,000 credit card numbers), they listed it for sale on underground markets.

Not surprisingly, Newegg revealed little about how exactly it was compromised. Regardless of whether it was poor IT security protocols, bad password management, or human error, if Newegg had tighter controls, this might have been avoided. It appears that whatever security protocols Newegg had in place failed to identify that a breach occurred for nearly a month. The Magecart attackers certainly made a significant effort to ensure that their actions were not obvious, but it is fair to say that the attack went on longer than it should have.

Protecting Your Company
A seemingly endless supply of online retailers and unassuming consumers who are relying on third-party code or other similar systems to facilitate purchases means Magecart is likely to remain a threat. But being aware of Magecart and how it works should give your company an advantage in protecting itself as you consider the following four measures:

1. Reevaluate your current cybersecurity infrastructure. Your system probably already includes some type of logging and a way for reviewing it, but would you, or your IT team, know if a hacker added eight lines of code to your website’s payment page? Regardless of the answer, it is always good practice to regularly ensure that your cybersecurity system is prepared for current threats.

2. Is your IT team aware of what Magecart is? Do they know how they would respond? Do you have a cybersecurity incident response plan in place? The way it developed, it appears Newegg found out about the breach from someone else and then had to be reactive instead of proactive. If a researcher contacted your company to alert you about a breach, would you know what to do? Do you have a plan in place for evaluating any damages and communicating about the situation to your customers?

3. Carefully consider the vendors you use for your business (both online and offline), especially with regard to public facing critical systems like the checkout page. Strive to ensure that your vendors have their own cybersecurity response plan in place and are doing all they can to avoid needlessly exposing your data.

4. Avoid payment methods that require transmittal of critical credit card information. Visa has addressed this with a token system in its Visa Checkout system. While it may not be a perfect solution, it is one that removes the exchange of credit card numbers at checkout and that can protect both you and your customer.

Related Content:

• 7 Signs of the Rising Threat of Magecart Attacks in 2019
• New Software Skims Credit Card Info From Online Credit Card Transactions
• Magecart Mayhem Continues in OXO Breach

Casey Quinn is an associate in Newmeyer Dillion’s Las Vegas office, and a member of the firm’s privacy data security practice. Casey brings his substantial experience in complex business litigation to the table helping businesses proactively navigate the legal landscape … View Full Bio

Article source: https://www.darkreading.com/cloud/getting-up-to-speed-on-magecart-/a/d-id/1334884?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Want to keep electronic voting safe and secure? Make sure that the votes are captured on paper, the CEO of electronic voting systems vendor Election Systems Software wrote in an op-ed this week.

“Our company, Election Systems Software, the nation’s leading elections equipment provider, recently decided it will no longer sell paperless voting machines as the primary voting device in a jurisdiction,” wrote ESS CEO Tom Burt in his piece in Roll Call.

This is a major shift in the company’s public position on voting machine vulnerabilities. 

Burt recommended: Get more money from Congress for better security on a national level; make sure there’s a paper trail for audits and recounts; and leverage the things that currently work well.

He also derided one of the factors in the US election system and called it a strength: With more than 10,000 separate voting jurisdictions in the nation, each responsible for choosing its own election products, it would, he wrote, be very difficult for a malicious actor to launch a massive, wide-scale attack on national voting.

For more, read here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/voting-machine-vendor-shifts-gears-and-pushes-for-backup-paper-ballots/d/d-id/1334924?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

It’s a scenario commonly seen in today’s businesses: executives read headlines of major breaches by foreign adversaries out to pilfer customers’ social security numbers and passwords. They worry about the same happening to them and strategize accordingly – but in the text, they learn the breach was in a different industry, of a different size, after different data.

This incident, irrelevant to the business, distracted leaders from threats that matter to them.

It’s an example of availability bias, one of many cognitive biases influencing how security and business teams make choices that keep an organization running. Availability bias describes how the frequency with which people receive information affects decisions. As nation-state attacks make more headlines, they become a greater priority among people who read about them.

“At the organizational level, we have major decision-makers deciding how much to spend on cybersecurity solutions,” explains Dr. Margaret Cunningham, principal research scientist at Forcepoint and author of “Thinking about Thinking: Exploring Bias in Cybersecurity with Insights from Cognitive Science.” These execs may be aware of more frequent threats like phishing, but the real problem is they’re interpreting risk based on what’s available in today’s news cycle.

Understanding these biases can improve understanding of how employees make decisions, Cunningham continues. An academic who describes herself as “obsessed with the type of mistakes people make,” she noticed human error was a common topic in cybersecurity. However, what human error is, and the many types of mistakes people make, were not.

“There’s no way we can be robotic about human perception,” she says. “As security specialists, we need to mitigate these risks by understanding them better.” Bias, or the tendency for people to favor a person, group, or decision over another, is swayed by past and present experiences. It’s common in situations where the correct choice isn’t always clear, she explains.

Cybersecurity: An Emotional Roller Coaster

Cognitive bias isn’t specific to cybersecurity; it’s universal. Many factors that influence human behavior fly under our radar, especially in stressful situations that security pros often face.

“Bias is fluid,” says Cunningham. “It’s shaped by past experiences, how tired we are, how emotional we are, and honestly, being in tech is highly emotional.” She points to the “warlike” language often used in cybersecurity: attack, breach, firewall. Security practitioners are especially prone to bias because they work in a field that’s highly emotional and often abstract.

Six types of biases can skew security strategies: availability bias is one, but teams should also be aware of aggregate bias, which is when people infer something about an individual based on data that describes broader populations. For example, Cunningham reports, older people are often considered riskier users because of a perceived lack of familiarity with new technologies.

Confirmation bias is when someone seeks to confirm their beliefs by exclusively searching for information that supports their hunch while excluding opposing data. This is especially common in security, she says. It’s typical among analysts who enter an investigation digging for an answer they really want. “[This] creates avenues for ignoring the whole picture because we’re looking for what we know,” says Cunningham, instead of considering other possibilities.

Another is anchoring bias, which occurs when a person locks onto a specific feature, or set of features, of data early in the decision-making process. If a value is introduced early in a sales pitch, for example, all the numbers that follow will be in the same ballpark. This plays into cybersecurity when, for example, an analyst clings to a certain value early in an investigation and fails to move away from it – even when the solution to the problem requires them to do so.

The framing effect, which affects how choices are worded, often manipulates those who buy security tools. For example, a vendor may say “one in five companies never got their data back after a ransomware attack,” placing focus on the one organization that lost data instead of the four that didn’t. This strategy causes security admins to buy pricey tools for low-probability risk.

Finally, there’s the fundamental attribution error, which is the tendency to view people’s mistakes as part of their identities rather than contextual or environmental factors. It’s seen throughout security, where analysts or developers blame users for creating risks because they’re less capable. There’s also a self-serving bias here, as the users often blame IT.

Breaking Biases

Security pros cannot “cure” biases, says Cunningham, just as they can’t cure people making mistakes.

“What we can do is become better acquainted with the types of decisions, or decision points that are frequently and predictably impacted by bias,” she explains. If someone is aware of the potential for bias in a situation, they can use this awareness to avoid bias and potentially make different, more informed, choices as a result. After all, she points out, attackers understand how they can manipulate human emotion, and they’re using this knowledge to their advantage.

Related Content:

• 6 Security Scams Set to Sweep This Summer
• The Minefield of Corporate Email
• Massive Changes to Tech and Platforms, But Cybercrime? Not So Much
• Unmixed Messages: Bringing Security Privacy Awareness Together

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/cognitive-bias-can-hamper-security-decisions/d/d-id/1334925?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new report from threat intelligence firm Recorded Future portrays Chinese technology giant Huawei as presenting a substantially bigger threat to US interests and organizations than currently perceived.

According to the firm, Huawei’s enormous range of technologies and products and its global customer base has put the company in a position to access an unprecedented amount of information on organizations, governments, and people worldwide. Huawei’s obligations to the Chinese government under various national security and related statutes puts that data at risk of interception and compromise, Recorded Future said.

“The position that Huawei occupies in China and its obligations under that government’s laws and regulations cannot be minimized,” warns Priscilla Moriuchi, director of strategic threat development at Recorded Future.

“Huawei, as a Chinese company, is not inherently malign,” she acknowledges. “However, the people that compose Huawei will at some point likely be forced into making decisions that could compromise the integrity or corporate ambitions of their customers.”

President Trump last month signed an executive order that effectively bans US government agencies from buying technologies that are owned by, controlled by, or subject to the laws of foreign adversaries.

The order cited concerns over the potential for foreign governments to force such vendors to use their technology to spy on US organizations and to conduct widespread espionage — via backdoors, for instance. The executive order also requires contractors that work with the federal government to jettison Huawei technologies from their infrastructure in a phased manner.  

The Trump administration’s order did not explicitly name Huawei, or any other technology companies for that matter. But many see it as directed particularly at the Chinese technology vendor.

Over the past few years, US officials have openly expressed concern over what they perceive as Huawei’s close ties to the Chinese government. The US has accused China of conducting widespread economic espionage for a long time. Last year, CNBC reported six US intelligence heads cautioning against the use of Huawei’s phones in the US market because of such concerns. Recently, government officials and others have focused on the national security implications of Huawei’s leadership in the 5G networking space. It has urged allies and governments around the world to stop using Huawei technology as well.

Huawei, for its part, has strongly denied accusations that it is working on behalf of the Chinese government or is supplying information to the government, as its critics have suggested. The company has described itself as a victim of a broader geopolitical battle between the US and Chinese governments. Huawei has suggested that at least some of the pushback from Western governments stems from its enormous success in the technology arena. The company is currently in the third spot behind Apple in the global smartphone market, and its technology is widely used across many parts of Asia.

“I would argue that we are beyond the point of needing specific evidence, and that we must address the question of Huawei risk comprehensively with the available data,” says Moriuchi.

Broad and Growing Footprint
Huawei currently offers a broader range of technology products than almost any other company, including Western technology giants such as Microsoft and Apple. The company’s portfolio includes broadband network components; cloud computing and storage technologies; infrastructure management software; network switches and routers; and mobile phones, laptops, and wearables. Many of these technologies are installed within organizations or are embedded in the networks of cloud service providers and other third parties, according to Recorded Future.

Huawei’s technology is being used in so-called “safe city” surveillance programs in multiple cities around the world, and the company is aggressively expanding its presence in the core Internet routing space via undersea cables and fiber-optic technology.

Huawei’s enormous footprint has given it access to more data than perhaps any single other organization. What makes that worrisome is that under Chinese laws passed since 2016, Huawei has a legal responsibility to provide access to and support the country’s intelligence-gathering apparatus, Moriuchi says. “There is no legal mechanism in China for a company to challenge or contest a request by the intelligence and security services,” she says.

Huawei has also benefited from government loans and received funding from China’s military and intelligence agencies and over the years has benefited from government support and preferential treatment, Moriuchi claims.

For companies and individuals, the threat from Huawei can be distilled down to the risk to business and personal data, networks, intellectual property, and even long-term corporate viability. When deciding to use Huawei products, organizations need to figure out what their risk tolerance for monitoring, interference, or potentially sensitive data theft from China is. 

“If the risk threshold is low, we recommend that companies minimize the number of Huawei technologies and services within core or critical segments of their networks,” Moriuchi advises.

Related Content:

• Nuanced Approach Needed to Deal With Huawei 5G Security Concerns
• UK Watchdog Criticizes Huawei for Lax Software Security, Development
• Chinese Intelligence Officer Under Arrest for Trade Secret Theft
• 8 Nation-State Hacking Groups to Watch in 2018

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/huawei-represents-massive-supply-chain-risk-report/d/d-id/1334926?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Photos used by US Customs and Border Protection (CBP) in an effort to protect travelers have been taken in an attack against a federal subcontractor. Officials confirmed the compromise, which they described as part of a malicious cyberattack.

While the agency declined to give details about the photos accessed by the attacker, the subcontractor is known to maintain databases of photos that include passport and visa photos, license plate images, and images from facial recognition systems.

According to the agency, a subcontractor transferred CBP data to its network, which was subsequently hacked. “The issue with subcontractors is that you can’t completely control how they secure their network,” says Pierluigi Stella, CTO of Network Box USA. “You can ask for certifications, financials, controls, and attestations, but there is always a limit to how much you can demand.”

In its statement announcing the breach, CBP said it has ” … removed from service all equipment related to the breach and is closely monitoring all CBP work by the subcontractor.”

The breach comes as CBP is increasing its use of facial recognition and other image-based security. “This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices,” said Neema Singh Guliani, a lawyer for the American Civil Liberties Union, in a statement. “The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place.”

Read more here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/federal-photos-filched-in-contractor-breach/d/d-id/1334927?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple