Sat.Oct 19, 2019 - Fri.Oct 25, 2019

Protect IT—A Combination of Security Culture and Cyber Hygiene Good Practices

Thales eSecurity

In the spirit of National Cyber Security Awareness Month (NCSAM), my colleague Ashvin Kamaraju wrote about how organizations can use fundamental controls to secure their information technology. Effective digital security doesn’t end at “Secure IT,” however.

61% of organisations reported a data breach in 2019

IT Governance

If your organisation didn’t suffer a data breach last year, consider yourself one of the lucky few. The insurance firm Hiscox found that 61% of organisations were compromised in the past 12 months.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Software Is Infrastructure

ForAllSecure

The realization that software is becoming an essential component of our everyday lives was reflected yet again in this year’s. Black Hat. Even more solutions are being touted to deal with the ever-growing exposure of software to malicious threats.

52

Avast, NordVPN Breaches Tied to Phantom User Accounts

Krebs on Security

Antivirus and security giant Avast and virtual private networking (VPN) software provider NordVPN each today disclosed months-long network intrusions that — while otherwise unrelated — shared a common cause: Forgotten or unknown user accounts that granted remote access to internal systems with little more than a password. Based in the Czech Republic, Avast bills itself as the most popular antivirus vendor on the market, with over 435 million users. In a blog post today, Avast said it detected and addressed a breach lasting between May and October 2019 that appeared to target users of its CCleaner application, a popular Microsoft Windows cleanup and repair utility. Avast said it took CCleaner downloads offline in September to check the integrity of the code and ensure it hadn’t been injected with malware. The company also said it invalidated the certificates used to sign previous versions of the software and pushed out a re-signed clean update of the product via automatic update on October 15. It then disabled and reset all internal user credentials. “Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected,” Avast’s Jaya Baloo wrote. This is not the first so-called “supply chain” attack on Avast: In September 2018, researchers at Cisco Talos and Morphisec disclosed that hackers had compromised the computer cleanup tool for more than a month, leading to some 2.27 million downloads of the corrupt CCleaner version. Avast said the intrusion began when attackers used stolen credentials for a VPN service that was configured to connect to its internal network, and that the attackers were not challenged with any sort of multi-factor authentication — such as a one-time code generated by a mobile app. “We found that the internal network was successfully accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled and did not require 2FA,” Baloo wrote. THE NORDVPN BREACH. Separately, NordVPN, a virtual private networking services that promises to “protect your privacy online,” confirmed reports that it had been hacked. Today’s acknowledgment and blog post mortem from Nord comes just hours after it emerged that NordVPN had an expired internal private key exposed, potentially allowing anyone to spin out their own servers imitating NordVPN,” writes Zack Whittaker at TechCrunch. VPN software creates an encrypted tunnel between your computer and the VPN provider, effectively blocking your ISP or anyone else on the network (aside from you and the VPN provider) from being able to tell which sites you are visiting or viewing the contents of your communications. This can offer a measure of anonymity, but the user also is placing a great deal of trust in that VPN service not to get hacked and expose this sensitive browsing data. NordVPN’s account seems to downplay the intrusion, saying while the attackers could have used the private keys to intercept and view traffic for some of its customers’ traffic, the attackers would have been limited to eavesdropping on communications routing through just one of the company’s more than 3,000 servers. “The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either,” reads the NordVPN blog post. “On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN.” NordVPN said the intrusion happened in March 2018 at one of its datacenters in Finland, noting that “the attacker gained access to the server by exploiting an insecure remote management system left by the datacenter provider while we were unaware that such a system existed.” NordVPN declined to name the datacenter provider, but said the provider removed the remote management account without notifying them on March 20, 2018. “When we learned about the vulnerability the datacenter had a few months back, we immediately terminated the contract with the server provider and shredded all the servers we had been renting from them,” the company said. “We did not disclose the exploit immediately because we had to make sure that none of our infrastructure could be prone to similar issues. This couldn’t be done quickly due to the huge amount of servers and the complexity of our infrastructure.” This page might need to be updated. TechCrunch took NordVPN to task on the somewhat dismissive tone of its breach disclosure, noting that the company suffered a significant breach that went undetected for more than a year. Kenneth White , director of the Open Crypto Audit Project , said on Twitter that based on the dumped Pastebin logs detailing the extent of the intrusion, “the attacker had full remote admin on their Finland node containers.” “That’s God Mode folks,” White wrote. “And they didn’t log and didn’t detect it. I’d treat all their claims with great skepticism.” ANALYSIS. Many readers are curious about whether they should enshroud all of their online communications by using a VPN. However, it’s important to understand the limitations of this technology, and to take the time to research providers before entrusting them with virtually all your browsing data — and possibly even compounding your privacy woes in the process. For a breakdown on what you should keep in mind when considering a VPN service, see this post. Forgotten user accounts that provide remote access to internal systems — such as VPN and Remote Desktop services (RDP) — have been a persistent source of data breaches for years. Thousands of small to mid-sized brick-and-mortar businesses have been relieved of millions of customer payment card records over the years when their hacked IT contractors used the same remote access credentials at each client location. Almost all of these breaches could have been stopped by requiring a second form of authentication in addition to a password, which can easily be stolen or phished. The persistent supply chain attack against Avast brings to mind something I was considering the other day about the wisdom of allowing certain software to auto-update itself whenever it pleases. I’d heard from a reader who was lamenting the demise of programs like Secunia’s Personal Software Inspector and FileHippo , which allowed users to automatically download and install available updates for a broad range of third-party Windows programs. These days, I find myself seeking out and turning off any auto-update functions in software that I install. I’d rather be alerted to new updates when I launch the program and have the ability to review what’s changing and whether anyone has experienced issues with the new version. I guess you could say years of dealing with unexpected surprises on Microsoft Patch Tuesdays has cured me of any sort of affinity I may have once had for auto-update features. Data Breaches Avast breach FileHippo Jaya Baloo Kenneth White NordVPN breach Open Crypto Audit Project Secunia Personal Software Inspector supply chain attack Techcrunch Zack Whittaker

How to Solve 4 Common Challenges of Legacy Information Management

Speaker: Chris McLaughlin, Chief Marketing Officer and Chief Product Officer, Nuxeo

After 20 years of Enterprise Content Management (ECM), businesses still face many of the same challenges with finding and managing information. Join Chris McLaughlin, CMO and CPO of Nuxeo, as he examines four common business challenges that these legacy ECM systems pose and how they can be addressed with a more modern approach.

Phishing Schemes Continue to Plague the Healthcare Sector

Data Breach Today

Experts Offer Insights on Mitigating the Threat Recent health data breaches involving phishing schemes are reminders of the persistent threat email-related scams pose to healthcare organizations - and the urgent need to mitigate that threat

More Trending

Pompeo Was Riding High—Until the Ukraine Mess Exploded

WIRED Threat Level

The US secretary of state may be a Trump favorite, but the Ukraine scandal appears to threaten Mike Pompeo’s ambitions for higher office. Backchannel Security

Cachet Financial Reeling from MyPayrollHR Fraud

Krebs on Security

When New York-based cloud payroll provider MyPayrollHR unexpectedly shuttered its doors last month and disappeared with $26 million worth of customer payroll deposits , its payment processor Cachet Financial Services ended up funding the bank accounts of MyPayrollHR client company employees anyway, graciously eating a $26 million loss which it is now suing to recover. But on Oct. 23 — less than 24 hours before another weekly payroll rush — Pasadena, Calif.-based Cachet threw much of its customer base into disarray when it said its bank was no longer willing to risk another MyPayrollHR debacle, and that customers would need to wire payroll deposits instead of relying on the usual method of automated clearinghouse (ACH) payments (essentially bank-to-bank checks). Cachet processes some $150 billion in payroll payments annually for more than 110,000 employers. But payroll experts say this week’s actions by Cachet’s bank may well soon put the 22-year-old company out of business. “We apologize for the inconvenience of this message,” reads the communication from Cachet that went out to customers just after 6:30 PM ET on Oct. 23. It continued: “Due to ongoing fraud protocol with our bank, they are requiring pre-funding via Direct Wire for all batches that were uploaded this week, unless employees were already paid or tax payments were already transmitted. This includes all batch files moving forward.” All files that were uploaded today for collection and disbursement will not be processed. In order to process disbursement, we will need to receive a wire first thing tomorrow in order to release the disbursements. All collections that were processed prior to today will be reviewed by the bank and disbursements will be released once the funds are cleared. Credit trans. Deadline for wires is 1 P.M. PST. This will be the process until further notice. If you need a backup processor, please contact us. If you require wire instructions, please respond to this email and they will be sent to you. We welcome and anticipate your phone calls and inquiries. We remain committed to our clients and are determined to see this through. We appreciate and thank you for your patience and understanding.” In a follow-up communication sent Thursday evening, Cachet said all debit transactions with a settlement date of Oct. 23 had been processed, but that any transactions uploaded after Oct. 23 were not being processed at all, and that wires are no longer being accepted. “If they aren’t taking money, they’re out of business,” Friedl said of Cachet. Cachet’s financial institution, Wilmington, Del. based The Bancorp Bank ( NASDAQ: TBBK ), did not respond to requests for comment. Cachet also did not respond to requests for comment. But in an email Thursday evening, the company sought to offer customers a range of alternatives — including other providers — to help process payrolls this week. Steve Friedl , an IT consultant in the payroll service bureau industry, said the Cachet announcement has sent payroll providers scrambling to cut and mail or courier paper checks to client employees. But he said many payroll providers also use Cachet to process tax withholdings for client employees, and that this, too, could be disrupted by the funding changes. “There’s a lot of same day stuff that goes on in the payroll industry that depends on people being honest and having money available at certain times,” Friedl said. “When that’s not possible because a bank in that process says it doesn’t want to be stuck in the middle that can create problems for a lot of people who are then stuck in the middle.” Another payroll expert at a company that uses Cachet but who asked not to be named said, “everyone I know at payroll providers is scrambling to get it done another way this week” as a result of the decision by Cachet’s bank. “Those bureaus will do whatever they can to keep their clients happy because something like this can quickly put them out of business,” the source said. “Unlike what happened with MyPayrollHR — which harmed consumers directly — the payment service bureaus are the ones potentially getting hurt here.” Most corporate payroll is handled through ACH transactions, a system that allows financial institutions to push and pull funds to and from checking accounts between banks. ACH is essentially the same thing as writing a check for a good or service, and it typically involves an element of trust because there is a time delay (24-48h) between which the promised funds are released to the receiving bank and the funds are made available to the recipient. In contrast, a wire transfer takes minutes and the funds are made available to the recipient almost immediately. Wires are also far more expensive for customers, and they earn banks hugely profitable processing fees, whereas ACH transaction fees are minuscule by comparison. Ultimately, banks may decide that for certain clients they no longer wish to assume the risk of fraudsters exploiting the float period for ACH transactions to steal tens of millions of dollars, as was the case in the MyPayrollHR fiasco. It’s worth noting that the MyPayrollHR fraud wasn’t the first time Cachet has been tripped up by the demise of a payroll company: In 2016, the collapse of Monterey, Calif. based payroll processor Pinnacle Workforce Solutions left Cachet holding the bag for more than $1 million. Cachet sued to recover the money stuck in Pinnacle’s frozen accounts. From The Monetery County Weekly : “Cachet’s lawyers also outline possible nefarious action by Pinnacle. ACH companies act as middlemen for processing payroll and other large transactions. Every pay period, Pinnacle would send Cachet a coded file to tell the ACH how to distribute funds. But, on Sept. 21 [2016] Pinnacle had manipulated the code sent to Cachet so the money collected from its clients went directly to Pinnacle instead of being held in the ACH account before being distributed to its clients’ employees, the suit alleges.” It will be interesting to see how long the fallout from the MyPayrollHR episode will last and how many other firms may get wiped because of it. Shortly after MyPayrollHR closed its doors last month and disappeared with $35 million in payroll and tax payments, the company’s 49-year-old CEO Michael Mann was arrested and charged with bank fraud. The government alleges Mann was kiting millions of dollars in checks between his accounts at Bank of American and Pioneer from Aug. 1, 2019 to Aug. 30, 2019. The Times Union reports that Mann and his company are now being sued by Pioneer Bank and a large insurance company over a $42 million loan it gave to Mann and his companies just a month before his payroll business closed up shop. The Coming Storm

Senators Push for FTC Probe Into Amazon Over Capital One

Data Breach Today

Lawmakers Ask FTC to Investigate Whether Amazon Broke Federal Law Democratic lawmakers are urging the U.S. Federal Trade Commission to open an investigation into whether Amazon violated federal law by failing to the prevent Capital One's devastating data breach.

Building a Cybersecurity Culture: What's Love Got to Do With It?

Dark Reading

Turns out, a lot. Get people to fall in love with the security team, and you'll get them to care about security, CISOs say in part 2 of a two-part series about building security culture

Top 10 industries for monetizing data: Is yours one of them?

Find out which industries, use cases, and business applications are the best opportunities for data monetization. Understand what data is being monetized, who wants it, and why. Use data you already own to create new revenue sources. Download the eBook today!

In Hong Kong, Which Side Is Technology On?

WIRED Threat Level

Yes, authoritarians have co-opted tech. But the story is far from over. Security Security / Privacy

Ransomware Hits B2B Payments Firm Billtrust

Krebs on Security

Business-to-business payments provider Billtrust is still recovering from a ransomware attack that began last week. The company said it is in the final stages of bringing all of its systems back online from backups. With more than 550 employees, Lawrence Township, N.J.-based

B2B 197

Johannesburg Struggles to Recover From Ransomware Attack

Data Breach Today

It's the Second Attack to Target South African City This Year Johannesburg has been hit with a ransomware attack that is crippling municipal services. City Power, an electric utility owned by the city that was hit by a similar attack in July - also was affected by the latest attack

Dark Web Site Taken Down without Breaking Encryption

Schneier on Security

The US Department of Justice unraveled a dark web child-porn website, leading to the arrest of 337 people in at least 18 countries.

Privacy without borders: Reality or Fantasy?

Imagine a world in which every country shared a vision and a common set of principles to protect and regulate the use of personal data. It would make international business far simpler, provide citizens in every country with the same privacy rights.

TikTok, Under Scrutiny, Distances Itself From China

WIRED Threat Level

Three senators have called for an investigation into the social media app, which is owned by the Chinese tech giant ByteDance. Security Security / National Security

Exploring the CPDoS attack on CDNs: Cache Poisoned Denial of Service

Security Affairs

Boffins disclosed a web attack technique (CPDoS attack) that can poison content delivery networks (CDNs) into caching and then serving error pages.

Paper 83

Clinton Email Probe Cites 38 for Violations

Data Breach Today

State Dept.

NordVPN Breached

Schneier on Security

There was a successful attack against NordVPN: Based on the command log, another of the leaked secret keys appeared to secure a private certificate authority that NordVPN used to issue digital certificates.

The Key to Strategic HR: Process Automation

Do you want to automate your HR processes, but don’t know where to start? In this eBook, PeopleDoc explores which processes benefit the most from automation, and how an HR Service Delivery platform can help get things off the ground.

At an Outback Steakhouse Franchise, Surveillance Blooms

WIRED Threat Level

Fried onion meets 1984. Security Security / Privacy Business / Artificial Intelligence

A critical Linux Wi-Fi bug could be exploited to fully compromise systems

Security Affairs

A researcher discovered a critical Linux vulnerability, tracked as CVE-2019-17666 , that could be exploited to fully compromise vulnerable machines.

Russian Hackers Coopted Iranian APT Group's Infrastructure

Data Breach Today

UK and US Intelligence Agencies Report That Turla Group Seized OilRig APT Assets Turla, an advanced persistent threat group with apparent ties to Russia, seized attack infrastructure and tools used by OilRig, an Iranian APT group, U.K. and U.S. intelligence agencies have jointly reported.

IT 173

Avast Foils Another CCleaner Attack

Dark Reading

Abiss' attackers used an older VPN profile to get into Avast's network and targeted its CCleaner utility

IT 81

Embedded BI and Analytics: Best Practices to Monetize Your Data

Speaker: Azmat Tanauli, Senior Director of Product Strategy at Birst

By creating innovative analytics products and expanding into new markets, more and more companies are discovering new potential revenue streams. Join Azmat Tanauli, Senior Director of Product Strategy at Birst, as he walks you through how data that you're likely already collecting can be transformed into revenue!

Public Voice Launches Petition for an International Moratorium on Using Facial Recognition for Mass Surveillance

Schneier on Security

Coming out of the Privacy Commissioners' Conference in Albania , Public Voice is launching a petition for an international moratorium on using facial recognition software for mass surveillance. You can sign on as an individual or an organization. I did. You should as well.

IT 79

Experts found DLL Hijacking issues in Avast, AVG, and Avira solutions

Security Affairs

Flaws in Avast, AVG, and Avira Antivirus could be exploited by an attacker to load a malicious DLL file to bypass defenses and escalate privileges.

Here's Why 'Raccoon' Infostealer Is Popular With Criminals

Data Breach Today

Cheap and Simple 'Malware as a Service' Sold in Cybercriminal Underground The "Raccoon" infostealer, first spotted in the wild earlier this year, is rapidly gaining in popularity on underground forums due to its low cost and ability to steal a wide range of data, including credit card numbers and cryptocurrency wallets, according to a new analysis from Cybereason.

IT 169

Developers: The Cause of and Solution to Security's Biggest Problems

Dark Reading

The everything-as-code revolution requires cybersecurity to increasingly enlist the help of developers to solve the industry's most pressing issues

Calculating the Benefits of the Advanced Encryption Standard

Schneier on Security

NIST has completed a study -- it was published last year, but I just saw it recently -- calculating the costs and benefits of the Advanced Encryption Standard.