Nearly 70% of UK Firms Hit by a Cyber-Attack in 2018
Over two-thirds of UK firms have fallen victim to a cyber-attack over the past year, with many claiming they don’t get enough guidance from the government on how to combat threats, according to RedSeal.
The security vendor polled over 500 UK IT professionals from mainly SMBs to better understand their cyber-resilience levels.
Some 68% claimed to have suffered at least one attack over the past 12 months, with 67% of these saying it had resulted in financial loss, over a third (37%) in customer attrition, and over a fifth (43%) in damage to their corporate reputation.
Nearly a third (31%) said the government doesn’t provide enough support on cybersecurity, despite the best efforts of the National Cyber Security Centre, which was set up two years ago with that mission in mind.
It has provided detailed advice for organizations in specific critical infrastructure sectors on how to comply with the new NIS Directive, for example, as well as implementing two-factor authentication and other crucial best practices, Cyber Aware advice for small businesses, and Cyber Essentials resources to encourage firms to get accredited with the baseline security standard.
Still, the RedSeal findings seem to show security shortcomings among many organizations. A significant minority (19%) said they had no incident response plan in place while nearly two-thirds (65%) of IT pros polled said they thought senior managers should pay more attention to cybersecurity in 2019.
The former is a serious issue given that both the GDPR and NIS Directive demand organizations have an effective plan in place should they suffer a successful attack.
Part of the challenge here is corporate culture and organization: just 30% of UK firms have a board member responsible for security, according to government figures.
Security bosses could help to break down the silos between their function and the boardroom by talking not in terms of cyber risk but business risk.
The RedSeal report’s findings are somewhat at odds with the government’s own report into cyber threat levels facing firms. Released earlier this year, it revealed that just 43% of companies had suffered a breach or attack over the previous 12 months.
Europol Touts Dark Web Win After Counterfeit Crack Down
Europol is celebrating after a major crackdown on online buyers of counterfeit money which has seen hundreds detained.
The police group claimed its latest operation stemmed from an arrest of a print shop owner in Austria in June this year.
The man was found to have been making counterfeit 10, 20, and 50 euro banknotes and selling them via several dark web marketplaces.
However, he’d failed to keep key information hidden from the investigating officers, meaning they were able to identify the email addresses of the buyers, who had purchased an estimated 10,000 banknotes.
A subsequent operation took place beginning November 19, with the majority of arrests made between December 3-6, according to Europol.
Nearly 300 houses were searched in 13 countries, with 235 suspects detained.
Police are also said to have seized 1500 counterfeit notes, drugs, weapons including guns, nunchaku, knives and blades, computers, mobile phones, Bitcoin and hardware for mining digital currency. In Germany, police even found two marijuana-growing facilities, while in France law enforcers discovered another counterfeiting print facility and a third marijuana farm.
“This joint effort highlights that complete anonymity on the internet and the darknet doesn’t exist,” said Europol deputy director of operations, Wil van Gemert.
“When you engage in illegal activity online, be prepared to have police knocking on your door sooner or later. Europol will continue to assist member states in their efforts of protecting the euro against counterfeiting, both in the real world as in the virtual one.”
The news follows an announcement last month that Europol had managed to shut down more than 33,000 websites selling counterfeit and stolen products, including pharmaceuticals, TV shows and electronics.
Police were also able to arrest 12 suspects and freeze over €1m in several bank accounts.
Despite van Gemert’s assertion, however, it is usually traditional police work offline that enables them to disrupt dark web traders. The vast majority remain at large and the marketplaces themselves up and running.
A Hertfordshire teenager has been sentenced to three years behind bars after pleading guilty in September to making bomb threats to thousands of schools and disrupting a transatlantic flight.
George Duke-Cohan, 19, from Watford, first sent bomb threats to UK schools in March 2018 and was arrested days later, according to the National Crime Agency (NCA).
The plot is said to have forced the evacuation of students at 400 schools and colleges.
However, just a month later he sent a mass email to schools in the UK and US warning that a pipe bomb had been planted on their premises, for which he was re-arrested.
Despite being on bail for charges related to these crimes, Duke-Cohan is then said to have made prank calls to United Airlines, claiming a flight to San Francisco from the UK had been hijacked by gunmen.
In one call, he pretended to be a worried father whose daughter had called him mid-flight, warning of the terrorists.
He was then arrested for a third time at his home on August 31, with officers recovering several electronic devices he had been denied access to under his bail conditions.
The 19-year-old had caused “serious worry and inconvenience to thousands of people,” according to NCA senior investigating officer, Marc Horsfall.
“He carried out these threats hidden behind a computer screen for his own enjoyment, with no consideration for the effect he was having on others. Despite being arrested and having conditions imposed restricting his use of technology, he persistently broke those conditions to continue his wave of violent threats,” he added.
“This investigation proves that operating online does not offer offenders anonymity. Duke-Cohan now has a criminal record which will harm his future career prospects and this should act as a deterrent to others.”
A series of cyber-robbery attacks have been targeting financial organizations in Eastern Europe, according to new research from Kaspersky Lab.
Researchers found that the series of attacks, dubbed DarkVishnya, have affected at least eight banks in the region, with estimated losses running into the tens of millions of dollars.
Based on data collected through Kaspersky Lab’s incident response observations in 2017 and 2018, researchers noted that in each attack, bad actors managed to smuggle an unknown and attacker-controlled device into a company building and directly connect it to the company’s local network.
The attackers were reportedly using one of three different types of devices, including a laptop, a Raspberry Pi (a single-board computer the size of a credit card) or a Bash Bunny (a specially designed tool for automating and conducting USB attacks). According to a press release, some of these devices are equipped with a GPRS, 3G or LTE modem, which the attackers use to remotely access the corporate network of the financial organization.
After establishing a connection, the threat actors try to gain access to the web servers so that they can steal the data they need to run remote desktop protocol (RDP) on a selected computer. If successful, they can then seize funds or data.
A fileless attack, the method also leveraged the use of Impacket, winexesvc.exe or psexec.exe remote execution toolkits. During the final stage of the attack, the criminals used remote control software to maintain their control over the infected computer.
“Over the past year and a half, we’ve been observing a completely new type of attacks on banks, quite sophisticated and complex in terms of detection,” said Sergey Golovanov, security expert at Kaspersky Lab, in the press release.
“The entry point to the corporate network remained unknown for a long time, since it could be located in any office in any region. These unknown devices, smuggled in and hidden by intruders, could not be found remotely. Additionally, the threat actor used legitimate utilities, which complicated the incident response even more.”
According to the EU GDPR (General Data Protection Regulation) Implementation Review Survey conducted by IT Governance, six months after the GDPR went into effect, the majority of organizations are failing to implement the mandatory regulations.
The study included 210 responses from participating organizations ranging in size from fewer than 10 to more than 1,001 employees from across industries. Participants were asked how far along they were in achieving GDPR compliance, and only 29% said they had implemented all of the necessary change.
Despite 59% of respondents stating that they are aware of the changes to data subject access requests (DSAR), only 29% actually have an adoption plan in place to address these changes, even though data subjects are able to file complaints that could result in fines if their DSAR is incorrectly managed.
Although respondents said they understood the ways in which the GDPR applies to their organizations, many expressed a lack of confidence in fully understanding how to implement changes. When asked whether they had completed implementation of the changes, 46.9% said yes while 45% had only partially implemented any changes. In addition, 5% responded no.
One area in which organizations have focused attention is with data flow audits, with 75% of respondents reporting that they have conducted these audits in some capacity. As part of a GDPR compliance project, organizations need to map their data and information flows in order to assess their privacy risks, according to an IT Governance press release.
“It is discouraging to see so many organizations understanding the GDPR and its applicability to their businesses but failing to comply. May 25 should have been the wakeup call, but it’s not too late to begin your compliance journey. The time is now,” commented Alan Calder, founder and executive chairman of IT Governance.
The GDPR has been in effect since May 25, 2018, and the regulations apply to all organizations that monitor the behavior of or offer goods and services to EU residents, regardless of the organization’s geographical location or where it processes data.
While there is room for improvement when it comes to implementing changes, research published by BitSight found that “a steady decrease in security performance across all regions of the globe, organizations within continental Europe actually improved their security performance over the last year.
“Some of the areas that organizations have improved on include the implementation of stronger controls to reduce Internet exposed services (open ports). These improvements align well with the lead-up to the implementation of GDPR, and continue after the effective date.”
“Text-based captchas are extensively used to distinguish humans from automated computer programs,” researchers wrote. “While numerous alternatives to text-based captchas have been proposed, many websites and applications still use text-based captchas as a security and authentication mechanism. These include the majority of the top-50 popular websites ranked by alexa.com as of April 2018, including Google, Microsoft, Baidu, and many others.”
Researchers asserted that their approach to an effective text CAPTCHA solver requires far fewer real CAPTCHAs but result in better performance. “We evaluate our approach by applying it to 33 captcha schemes, including 11 schemes that are currently being used by 32 of the top-50 popular websites including Microsoft, Wikipedia, eBay and Google. Our approach is the most capable attack on text captchas seen to date.”
Their approach consists of four steps, beginning with CAPTCHA synthesis, followed by preprocessing, training the base solver and fine-tuning the base solver.
“What makes some CAPTCHAs raise above these sophisticated attacks are not the CAPTCHAs or challenges themselves, but the risk assessment behind the challenge,” said Shane Martin, software consultant of customer success at NuData Security, a Mastercard company.
“If an attacker used this method to solve CAPTCHA challenges that are built on top of enhanced security solutions such as behavioral biometrics technology, the risk assessment would recognize that an automated system was completing the challenge and would then increase the challenge complexity until the challenge could not be solved. This is why it’s important to avoid CAPTCHAs as standalone products and have them as an interdiction that appears after an accurate risk assessment.”
Over two-fifths of organizations have fallen victim to a so-called Business Process Compromise (BPC) attack, despite widespread ignorance from senior execs about the threat, according to Trend Micro.
The security giant polled over 1100 IT decision makers responsible for security across the UK, US, Germany, Spain, Italy, Sweden, Finland, France, Netherlands, Poland, Belgium and the Czech Republic.
It found that 43% had been impacted by a BPC: a type of highly targeted attack in which hackers look to manipulate an organization’s unique business processes to their own ends.
They typically involve an initial compromise followed by plenty of lateral movement inside the victim organization to conduct reconnaissance on security gaps and internal processes.
Perhaps the most famous case of a BPC to date was the attack on Bangladesh Bank where hackers installed multiple layers of malware into the bank’s IT systems to exploit the communications process between the bank and SWIFT. A total of $81m was lost, although the figure could have been much higher if an eagle-eyed employee had not spotted a spelling error on a transfer.
Vice president of security research, Rik Ferguson, claimed cyber-criminals are increasingly playing the long game for greater reward.
“In a BPC attack, they could be lurking in a company’s infrastructure for months or years, monitoring processes and building up a detailed picture of how it operates. From there they can insert themselves into critical processes, undetected and without human interaction,” he explained.
“For example, they might re-route valuable goods to a new address, or change printer settings to steal confidential information — as was the case in the well-known Bangladeshi Bank heist.”
The good news is that security teams are aware of the threat, with 72% claiming that BPC is a priority for their cyber strategy. However, half (50%) of management teams don’t know what a BPC attack is or how it could impact the organization, Trend Micro warned.
Australia has followed the UK in passing its own draconian surveillance laws which could force technology providers to engineer de facto backdoors into their end-to-end encryption products.
The opposition Labor Party stood aside at the eleventh hour to let the bill pass, on the understanding that its amendments would be passed in the new year, something the government now says it will only “consider.”
As is the norm, the government had argued that law enforcers and security services needed to be able to access specific communications to fight serious crime and protect national security.
“This ensures that our national security and law enforcement agencies have the modern tools they need, with appropriate authority and oversight, to access the encrypted conversations of those who seek to do us harm,” attorney-general, Christian Porter is reported to have said.
On the other side, experts warn that any attempt to introduce vulnerabilities into such systems would ultimately undermine security for the majority of law-abiding citizens, especially as it’s likely to be done in secret.
“This could have a devastating knock-on effect around the world. Creating a backdoor for law enforcement will never assure that no-one else will be able to access the database or files, and criminals will learn to exploit these vulnerabilities,” said ESET security expert, Jake Moore.
“If you break the fundamental way that encryption works, you risk breaking the internet and eradicating any trust and security."
According to the Electronic Frontier Foundation (EFF), the Australian Assistance and Access Act can be seen as an attempt to mimic the controversial UK Investigatory Powers Act (IPA).
“Both countries now claim the right to secretly compel tech companies and individual technologists, including network administrators, sysadmins, and open source developers, to re-engineer software and hardware under their control, so that it can be used to spy on their users,” explained EFF international director, Danny O’Brien.
“Engineers can be penalized for refusing to comply with fines and face prison; in Australia, even counseling a technologist to oppose these orders is a crime.”
The UK’s GCHQ is already looking to wield its powers to demand that messaging providers allow government snoopers to be secretly added to conversations so they can eavesdrop. It’s described not as an encryption backdoor but a “virtual crocodile clip” — although the plan was described as "absolute madness" by Edward Snowden as destroying trust in the privacy of online services.
Already, the UK government has warned parliament that GCHQ is evolving the way it snoops on targets under the IPA. Bulk “equipment interference” (EI) — also know as bulk hacking of devices — was originally intended to be limited to overseas “discovery” operations only: the exception rather than the rule.
However, in a letter this week, security minister, Ben Wallace, admitted that GCHQ will need to “conduct a higher proportion of ongoing overseas focused operational activity using the bulk EI regime than was originally envisaged.”
The reason, it appears, is the growing use of end-to-end encrypted communications.
“The communications environment has continued to evolve, particularly in terms of the range of hardware devices and software applications which need to be targeted,” the letter noted.
“In addition, the deployment of less traditional devices, and usage of these technologies by individuals of interest has advanced significantly.”
UK Consumers Have Lost £500 Each Through Online Crime
Two-fifths of UK consumers have been a victim of cybercrime with phishing topping the list, according to new research from GMX.
The email provider polled over 2000 Brits last month to better understand the impact and extent of online threats.
It found that half of those netizens affected lost money as a result. The average lost was £565 ($720), although 1% of respondents said they lost over £10,000.
Phishing and “misuse of data” were the most common forms of cybercrime, each accounting for 11% of answers. Next came malware (10%), fake e-stores (7%), online extortion (6%), and charity fraud (5%), where recipients are tricked into donating to spoofed worthy causes.
The over-55s were least likely to be victims of online crime, with 73% claiming they had never been caught out, versus 47% of those aged 16-24. This could be because older netizens are more cautious online, and/or that they spend less time on the internet.
The email firm urged consumers to remember its “three Cs”: context, common sense and charity aware.
The news comes as the busy online Christmas shopping period is well underway, with Brits expected to spend billions at their favorite e-commerce stores. They were predicted to have splashed out £5bn on Black Friday alone, half of which was online.
Security vendor Sonicwall claimed that UK phishing scams soared 648% year-on-year this Cyber Monday. It recorded 2535 attacks over the course of Monday and 11,433 for the week around this busy shopping weekend, a 436% increase on the same period in 2017.
With the run-up to Christmas still the busiest time for online shoppers in the UK, the firm warned that consumers could be deluged by phishing and similar scams, eroding trust in the brands they shop with and hitting stores’ profits.
HackEDU and HackerOne Partner to Offer Free Training
In a newly developed partnership with HackEDU, HackerOne announced that it has released a free web hacker training, adding to its Hacker101 offerings. Based on five popular, publicly disclosed vulnerability reports for which top bug bounty hackers initially earned up to $5,000 for reporting, HackerOne and HackEDU have created an interactive cybersecurity sandboxed training environment modeled after these real-world vulnerability reports.
Through training in this safe and legal simulated environment, hackers will learn the techniques of clickjacking, a vulnerability that can be used to create a worm; and XXE, a vulnerability that can be exploited to steal files. In addition participants will learn remote code execution (RCE), a vulnerability on a server that first earned a $5,000 bounty; and an SQL injection attack using sqlmap that steals data. Rounding out the the top-five vulnerabilities is an XSS attack, which causes a user to send you data without their knowledge.
Committed to growing and empowering the white hat community, HackerOne and HackEDU are providing free access to their training materials. The new HackEDU-developed vulnerability sandboxes are the latest in their interactive coursework available to hackers, who can also join existing Hacker101 interactive content, coursework and capture the flag (CTF) challenges, according to a press release.
“Hacking is a highly sought after skill, but it is not always clear how to get started or advance to the next level. This is why we started Hacker101,” said Cody Brocious, HackerOne security researcher and head of hacker education, in the release. “Now with HackEDU’s sandboxes and interactive lessons, hackers can test their skills like never before. With simulated real-world bugs – originally discovered by top bug hunters in the community – you will learn something new with these latest sandboxes, no matter your skill level.”
“HackEDU is proud to offer real-world applications with real-world vulnerabilities found on HackerOne’s platform,” said Jared Ablon, HackEDU’s CEO, in the release. “With this addition to HackEDU’s current offerings, users can explore how vulnerabilities manifest themselves in applications that people use everyday which enhances the learning process for both attackers and defenders.”