Yahoo hack effects Sky and BT emails as well

The world’s largest hacking of Yahoo also effects BT and Sky email users.

The world's largest hacking of Yahoo also effects BT and Sky email users.Yahoo wasn’t the tech giant in Silicon Valley that it used to be, but the news that half a billion user details were stolen from it over two years ago in 2014 should still concern everyone.

It now transpires that both BT and Sky used Yahoo’s email system and labelled it as their own.  Which is particularly ironic given that Sky’s parent company Fox has had to pay out hundreds of millions to people it had itself hacked it’s customers.

What is even more worrying is customer inertia- that’s because stubborn user behavior and the economics of darknet markets mean the chances of a serious breach at another major internet service increase dramatically with each hack.

The user behavior part is that people like to reuse their passwords—a lot.

One estimate, from Cambridge University’s Security Group, puts password reuse as high as 49%.

That is, we use the same password for every two accounts that require a log-in.

When a big cache of hacked passwords ends up traded on darknet markets, it often gets added to password databases. These databases can be used by corporations to ensure their users don’t use previously published, insecure passwords—or more maliciously by hackers, who will try to find passwords reused on other services.

It’s the equivalent of trying millions of different keys on a particular door, except it’s all automated and can be done in days, as the password cracker Jeremi Gosney has detailed for Ars Technica.

Password reuse and marketplaces for stolen data mean that password databases grow larger and more robust with each major breach. For example, LinkedIn was hacked in 2012 for more than 100 million user accounts. Parts of those stolen credentials wound up in darknet data dumps.

One of those log-ins belonged to a Dropbox employee, who apparently reused a password, allowing a hacker to enter the file-sharing platform’s corporate network. This led to the theft of 70 million Dropbox user passwords, which the company confirmed in August. One massive hack leads to another, forming a daisy-chain of insecurity.

The Yahoo breach is five times the size of the LinkedIn theft. That’s a lot more data to add to password-cracking lists.

The only thing we internet users have going for us now is to hope the “state-sponsored actor” that Yahoo says is behind the hack doesn’t dump the data in public, or sell it for profit. When that happens, we’re due for a password reset.

You can check if your email has been hacked and touted online at: https://haveibeenpwned.com/

Know your cyber attacker to defend yourself

Plus ca change- the Chinese general Sun Tzu said “know your enemy” 2,500 years ago- and the advice is as pertinent today as then when it comes to cyber security.

Plus ca change- the Chinese general Sun Tzu said Organisations can build better cyber defences by understanding which criminal underground is likely to target them, according to Robert McArdle, threat research team manager at Trend Micro.

There are several distinct types of cyber criminal undergrounds divided along language lines, each with their own particular characteristics, he told the Cloudsec 2016 conference in London.

The biggest and most mature are the Russian, English, German and Chinese cyber criminal undergrounds, but there also significant operations in Portuguese (Brazil) and Japanese.

“The all operate slightly differently and focus on different activities, so it depends on your business which of these undergrounds are the most likely to target your organisation,” said McArdle.

The Russian criminal underground is the longest-running, most mature criminal underground and was the first to introduce that as-as-service model, which has since been copied by most of the others.

The Russian cyber criminal underground is highly competitive, with most operations run along strict business principles, with some boasting dedicated sales departments and 24-hour support services.

The Trend Micro research team has identified several trends in the Russian underground, such as the fact that fierce competition is forcing prices lower, providing easier access to tools and services.

There has been a rapid increase in the number of tools and services targeting mobile devices and platforms in line with the growing popularity of mobile devices.

Another rapidly growing area is the trade in information about compromised sites that can be used in various cyber criminal campaigns.

Trade in credit card details continues to be strong on the Russian underground, with several sites dedicated to buying and selling this data.

“Some even have clickable maps that enable cyber criminals to view what credit cards are available in particular countries, cities and particular companies,” said McArdle.

“We have also seen the emergence of star-rating systems and the introduction of validation services that allows customers to try before they buy,” he said.

The Chinese underground is interesting, said McArdle, because although China is strongly associated with cyber espionage in the West, it is responsible for relatively little of run-of-the-mill cyber crime.

“Because of the language differences, the Chinese underground tends to build its own malware, does not rely on outside sources and mainly targets companies and individuals in China,” he said.

Although there is a fair amount of cyber crime hardware produced in China, such as card skimming devices, this tends to be sold through the cyber criminal markets based in South America.

The English cyber criminal underground is characterised by a much greater focus on physical goods, such as recreational drugs and fake identity documents, in addition to malware and killers for hire.

Distributed denial of service (DDoS) tools and services are very common in the English underground because they started out as tools developed by rival English-speaking gaming groups before migrating into extortion tools used by cyber criminals.

“We see a lot of tools and services for identity theft on the English underground, such as fake IDs, particularly in the US, where a stolen social security number can be used to impersonate someone to commit fraud by taking out loans, for example,” said McArdle.

Although the Portuguese cyber criminal underground based in Brazil is still relatively immature, he said it is growing and developing rapidly, driven by excellent online tutorials.

“Our researchers came across a three month tutorial programme for just £75 that is practically a masters level course on every aspect of conducting carding operations, including practical assignments with feedback on performance,” said McArdle.

The Portuguese underground is heavily focused on attacks on online banking, with 40% of Brazilians interacting with banks online. Consequently, most new attack methods aimed at online banking emerge in this region, providing a good indicator of what is likely to emerge in other parts of the world.

The Japanese underground is one of the least mature cyber criminal undergrounds, said McArdle, and, like the Chinese, it tends to focus on Japanese speaking customers and targets.

Although there is relatively little malware available because of the strict anti-malware legislation in Japan, he said there is a strong focus on Trojan malware and malware for webcams.

The Japanese underground is also characterised by gated communities, the use of coded language to refer to goods and services, and free porn websites pop-ups that demand payment for allegedly accessing member-only content.

“Strangely enough, around 10% of those targeted by these pop-ups pay the money demanded, even though the claims are false and no malware is involved,” said McArdle.

The German cyber criminal underground is the most mature in Europe and is not far behind the Russian underground.

“There are a lot of overlaps with the Russian underground, especially in terms of fake identity goods and services driven by demand from the growing Syrian refugee population in Germany,” said McArdle.

An understanding of nature of these undergrounds, he said, means that the banking sector should concentrate on the Russian and Portuguese undergrounds, for example, while those tasked with defending government or military networks would do well to concentrate on the Chinese underground.

“Understanding attackers is key to understanding what you need to defend against and building a strategy for doing so,” said McArdle.

UK organisations not taking ransomware seriously

UK organisations are still not taking ransomware seriously enough and continue to fall prey to low cost, low risk cyber extortion.

UK organisations are still not taking ransomware seriously enough and continue to fall prey to low cost, low risk cyber extortion.Cyber criminals simply have to infect computer systems with malware designed to lock up critical data by encrypting it and demand ransom in return for the encryption keys.

The occurrence of ransomware attacks nearly doubled, up by 172%, in the first half of 2016 compared with the whole of 2015, according to a recent report by security firm Trend Micro.

Ransomware, the report said, is now a prevalent and pervasive threat, with variants designed to attack all levels of the network.

Ransomware is typically distributed through phishing emails designed to trick recipients into downloading the malware, or through app downloads and compromised websites.

The business model is proving extremely successful for cyber criminals, as many organisations are not prepared for it, and paying the ransom is often the best or only option open to them.

Two separate studies have revealed that universities and NHS trusts in England have been hit hard by ransomware in the past year.

A freedom of information request by security firm SentinelOne revealed that 23 of 58 UK universities polled were targeted by ransomware in the past year, but all claim not to have paid any ransom.

In a similar study by security firm NCC Group, 47% of NHS Trusts in England admitted they had been targeted, while one single trust said it had never been targeted, and the rest refused to comment on the grounds of patient confidentiality. Only one trust said it had contacted the police.

While ransomware writers were sometimes careless in the past so there was often a way to retrieve files,  that is seldom the case now, making preparation even more important.

Security firm Sophos has developed a whitepaper advising businesses on how to stay protected against ransomware.

Here are a list of best practices that businesses and public sector organisations should apply immediately to prevent falling victim to ransomware:

  • Backup regularly and keep a recent backup copy off-site
  • Do not enable macros in document attachments received via email
  • Be cautious about unsolicited attachments
  • Do not give users more login power than they need
  • Consider installing Microsoft Office viewers to see what documents look like without opening them in Word or Excel
  • Patch early, patch often because ransomware often relies on security bugs in popular applications
  • Keep informed about new security features added to your business applications
  • Open .JS files with Notepad by default to protect against JavaScript borne malware
  • Show files with their extensions because malware authors increasingly try to disguise the actual file extension to trick you into opening them

Police ask for early contact of cyber crime

Businesses should contact the Police as early as possible about cyber crime- even before they are targeted.

Businesses should contact the Police as early as possible about cyber crime- even before they are targeted“The sooner we can become involved the better,” said Garry Lilburn, detective inspector, cyber crime unit, Metropolitan Police.

Current reporting mechanisms are “clunky” and there plans to replace them, he said, but in the meantime, businesses can make direct contact with the cyber divisions of the National Crime Agency (0370 496 7622) UK-wide or the Met Police for cyber crime in London (0207 230 8129) or 01452 752644 in Gloucestershire.

“Businesses can call us to discuss what is happening and get advice without having to officially report a crime and without fear of it leaking to the media or regulators,” said Lilburn, adding that some of the biggest cyber crime cases his unit has worked on have never been reported in public.

“If businesses contact us about cyber crime in action, we can advise them on how to mitigate the attack, preserve evidence, and how to communicate with cyber extortion gangs and even the media if necessary in the case of high-profile attacks,” he said.

However, Lilburn said businesses should engage with police even before they are targeted by cyber criminals.

“We offer a service of conducting table-top exercises with businesses so they can experience what it is like to work with the police in the event of an attack by cyber criminals and learn what kind of information we will need and the kind of questions we will ask,” he said.

Businesses should also develop plans for engaging with law enforcement before they are targeted by cyber criminals, and practice those plans in the same way they do fire drills, said Kurt Pipal, assistant legal attaché, office of the legal attaché at the FBI.

“Businesses should ensure they understand what law enforcement can do for them, what investigators are likely to ask for, and what they can do to help any investigation,” he said, adding that they should get their legal counsel involved because they are going to be one of the first points of contact with the police in the event of a cyber criminal attack.

“Many firms fear reputational damage and media exposure, but engaging early with law enforcement before anything happens often alleviates many of these types of concerns and makes them more comfortable in working with law enforcement when they are attacked,” said Pipal.
Police encourage information sharing

Cyber crime is almost always international in nature, but that should not put businesses off reporting cyber criminal activities, even if they appear to be coming from overseas or conducted through anonymising proxies, said Lilburn.

Many of the recent botnet takedowns involving the FBI have been the result of international law enforcement agencies working together, said Pipal.

“While cyber criminals may be based in countries where we cannot reach them, they also like to go on vacation, and often they go to countries where we do have the ability to make arrests, so businesses should talk to law enforcement about the cyber criminal activities they are seeing,” he said.

“Law enforcement should learn from this and also begin to find ways to collect information about bad actors that can be queried by law enforcement agencies around the world,” he said.

“Just because cyber criminals are located in other countries or appear to be anonymous, businesses should not assume we will not be interested or that we will not be able to take action against those responsible”

Many of these third parties are small and medium enterprises that work as suppliers or partners to larger organisations, but these businesses typically do not have the same level of security awareness or resources as their bigger partners, said Ferguson.

“While large organisations have the resources to understand and respond to threat intelligence gathered through industry forums and the government-sponsored cyber security information sharing partnership (Cisp) and the national computer emergency response team, Cert-UK, smaller businesses do not,” he said.

Indeed Cyber Security Force are part of theGloucestershire Safer Cyber Forum- which is founded and run by the Gloucestershire Constabulary.

NCSC- National Cyber Security Centre for cyber expertise

NCSC- the National Cyber Security Centre for cyber expertise review.

NCSC- the National Cyber Security Centre for cyber expertise review.Following on from the Cyber Security Force’s news post yesterday outline NCSC- the National Cyber Security Centre, the UK government plans to make the NCSC the centre of its expertise on what is happening in cyber space, combining the knowledge gathered from incidents and intelligence with that shared with industry, academia and international partners.

The NCSC will aim to use that knowledge to provide best practice advice and guidance and to tackle systemic vulnerabilities to enhance cyber security for all.

The NCSC will support the most critical organisations in the UK across government and the private sector to secure and defend their networks. This will include the provision of bespoke advice and guidance, help to design and test networks and exercise response arrangements.

When a serious cyber incident occurs, the NCSC will work with victims to minimise the damage, help with recovery and learn lessons to reduce the chance of recurrence and minimise future impact.

According to the prospectus, this help will include connecting victims with commercial companies that are recognised as being excellent at cyber incident response, and ensuring that the wider response of government and law enforcement is well co-ordinated.

In the case of very serious incidents, the NCSC’s response may include communicating publicly about consequences and the steps people and businesses should take to protect themselves.

The establishment of the NCSC will bring a new level of coherence and effectiveness to how government does cyber security. It seeks to partner with government agencies and departments, the devolved administrations, and the wider public and private sectors.

The NCSC will also work in close partnership with law enforcement to support their efforts to tackle cyber crime, and with the UK’s security and intelligence agencies and the Ministry of Defence to identify and counter the full range of threats in cyber space.

The NCSC will support the government’s wider security and prosperity agenda by engaging with international partners on incident handling, situational awareness, building technical capabilities and capacity and contributing to broader cyber security discussions.

For organisations that have their own networks, the NCSC will run the Cyber Security Information Sharing Partnership (CiSP). This is aimed at enabling organisations to share information with each other and the NCSC about what they are seeing on their networks, and provide a forum for discussion from beginner through to expert level.

The NCSC will produce tailored advice and guidance to identified sectors and proactively work with companies on this. However, it will initially focus on sectors which form the critical national infrastructure and those of strategic or significant economic importance or tied to the delivery of key public services.

The NCSC will not offer an enquiries line for the general public and Action Fraud will continue to be the first port of call for victims to report suspected cyber crime.

However, when there is a significant cyber incident affecting the UK, the NCSC will have the leading role for government in communicating to the public, to provide reassurance and guidance on what individuals and organisations can do to better protect themselves.

The NCSC’s specialist teams will work with the Ministry of Defence – and other users of very secure communications – to ensure that operational needs are met. It will also ensure the capabilities needed to operate both independently and with the UK’s allies are available in the future.

The NCSC will work with the cyber security industry to help ensure organisations of all kinds can find cyber security products and services that are high quality and meet their needs.

Cyber attacks via SWIFT on three Asian banks shared malware links

Cyber attacks on banks vai the Swift payments system in Bangladesh, Vietnam and the Philippines used the same malware, reports Symantec.

Cyber attacks on banks vai the Swift payments system in Bangladesh, Vietnam and the Philippines used the same malware, reports SymantecJust two weeks ago the Society for Worldwide Interbank Financial Telecommunication (Swift) warned of a highly adaptive campaign targeting banks.

Swift has since acknowledged that the heist involved altering Swift software to hide evidence of fraudulent transfers, but it said its core messaging system was not harmed.

Swift is a global member-owned co-operative that provides secure financial messaging services that connect more than 11,000 financial services organisations in more than 200 countries and territories.

Commenting on the incidents Swift said he attackers exhibited a “deep and sophisticated knowledge of specific operational controls” at the banks and may have been aided by “malicious insiders or cyber attacks, or a combination of both”.

Swift said the cyber criminals had used malware to manipulate PDF document reports confirming the messages to hide their tracks.

In the earlier cases, Swift said it appeared that insiders or cyber attackers had obtained user credentials and submitted fraudulent money transfer requests.

In addition to this, Symantec said some of the tools used share code similarities with malware used in historic attacks linked to a threat group known as Lazarus.

Symantec believes the attacks on the banks are linked and were possibly carried out by the same group.

They believe this because of similarities in distinctive wiping code between Trojan.Banswift used in the Bangladesh attack and early variants of Backdoor.Contopee, which has been used in limited targeted attacks against the financial industry in south-east Asia.

Symantec believes distinctive code shared between families – and the fact that Backdoor.Contopee was being used in limited targeted attacks against financial institutions in the region – means these tools can be attributed to the same group.

Backdoor.Contopee has been previously used by attackers associated with a broad threat group known as Lazarus. Lazarus has been linked to a string of aggressive attacks since 2009, largely focused on targets in the US and South Korea.

The group was linked to Backdoor.Destover, a highly destructive Trojan that was the subject of an FBI warning after it was used in an attack against Sony Pictures Entertainment.

The group was the target of a cross-industry initiative known as Operation Blockbuster earlier in 2016, which involved major security suppliers sharing intelligence and resources to assist commercial and government organisations in protecting themselves against Lazarus.

As part of the initiative, security firms are circulating malware signatures and other useful intelligence related to these attackers, but Symantec said the discovery of more attacks provides further evidence that the group involved is conducting a wide campaign against financial targets in the region.

While awareness of the threat posed by the group has now been raised, its initial success may prompt other attack groups to launch similar attacks. Banks and other financial institutions should remain vigilant, Symantec said.

Gloucestershire Safer Cyber Forum accepts Cyber Security Force

The Gloucestershire Safer Cyber Forum has accepted Cyber Security Force to join it.

The Gloucestershire Safer Cyber Forum has accepted Cyber Security Force to join it.The Gloucestershire Safer Cyber Forum (GCSF)  was set up and run by the Gloucestershire Constabulary to to provide a source of crime prevention, advice and to share cyber threat information.

GSCF also provides a secure environment for Gloucestershire business to engage directly with peers and Gloucestershire Constabulary on incidents or concerns around cybercrime, along with the ability to report it anonymously.

Being part of GSCF means that we can be at the leading edge of information on how to avoid cyber security issues and when they do arise how best to prevent and recover from the bad guys out there.

Few organisations prepared for cyber attacks, says report

Only 23% of organisations are capable of responding effectively to critical security incidents, according to NTT Com Security’s latest threat report.

Only 23% of organisations are capable of responding effectively to critical security incidents, according to NTT Com Security's latest threat report.
Nearly 80% of organisations remain unprepared and without a formal plan to respond to cyber security incidents, a report has revealed.

There has been little improvement in preparedness in the past three years, according to the annual Global Threat Intelligence Report (GTIR) by NTT Com Security in The Global Threat Intelligence Report 2016.

Based on data from 24 security operations centres, seven R&D centres, 3.5 trillion logs and 6.2 billion attacks in 2015, the GTIR shows that on average, only 23% of organisations have the capability to respond effectively to critical security incidents.

The lack of improvement was further underlined by the finding that nearly 21% of vulnerabilities detected in client networks were more than three years old, while more than 12% were over 5 years old, and over 5% were more than 10 years old.

Results included vulnerabilities from as far back as 1999, making them over 16 years old.

“Prevention and planning for cyber security incidents seems to be stagnating,” said Garry Sidaway, vice-president of strategy and alliances at NTT Com Security.

“This is a real concern and could be due to a number of reasons, such as security fatigue caused by too many high profile security breaches, information overload and conflicting advice in combination with the sheer pace of technology change, lack of investment and increased regulation.

“Facing security challenges that didn’t exist last year, let alone a decade ago, and struggling with a shortfall in information security professionals, many organisations no longer have the necessary skills or resources to cope. Our mantra is prevention is better than cure and get the security basics right, including having a clear, well-communicated incident response plan.”

Although financial services was the leading sector for incident response in previous annual GTIR reports, the retail sector now takes the lead, with 22% of all response engagements, up from 12% the previous year. But retail – a popular target due to processing large volumes of personal information such as credit card details – also experienced the highest number of attacks, the report shows.

The report shows an increase in breach investigations to 28% in 2015 compared with 16% the previous year, with most incidents involving theft of data and intellectual property.

Internal threats jumped to 19% of overall investigations – from 2% in 2014 – with many of these the result of employees and contractors abusing information and computing assets.

Spear phishing attacks accounted for approximately 17% of incident response activities in 2015, up from 2% previously. Many of these attacks related to financial fraud targeting executives and finance personnel, with attackers using clever social engineering tactics, such as getting organisations to pay fake invoices.

Despite the rise in distributed denial of service (DDoS) hacking groups like DD4BC, the GTIR noted a drop in DDoS related activity compared with the previous two years. This is likely to be due to an investment in DDoS mitigation tools and services, the report said. However, the report also said extortion, based on payments by victims to avoid or stop DDoS attacks, had become more prevalent.

NTT Com Security made four recommendations for incident responses:

Prepare incident management processes and “run books”.
Many organisations have limited guidelines describing how to declare and classify incidents even though these are critical to ensure a response can be initiated. Depending on the type of attack, potential impact and other factors, response activities will be very different for each. Common practices for incident response also suggest organisations should develop “run books” to address how common incidents should be handled in their environment.

Evaluate your response effectiveness.
When incidents occur the last thing you want is to lack an understanding of standard incident response operating procedures. Evaluation of preparedness should include regular test scenarios. Consider post-mortem reviews to document and build upon response activities that worked well, as well as areas needing improvement.

Update escalation rosters.
As organisations grow and roles change, it is important to update documentation related to who is involved in incident response activities. Time is critical to incident response and not being able to quickly involve the correct people can hamper your effectiveness. Updating contact information for suppliers such as external incident response support and other providers is just as important.

Prepare technical documentation.
To make accurate decisions and identify impacted systems, organisations must have comprehensive and accurate details about their network.

90% of big UK businesses hacked by cyber attacks

There has been an increase in the number of both large and small organisations experiencing breaches according to the 2015 Information security breaches survey.

There has been an increase in the number of both large and small organisations experiencing breaches according to the 2015 Information security breaches survey

90% of large organisations reported that they had suffered a security breach, up from 81% in 2014. Small organisations recorded a similar picture, with nearly three-quarters reporting a security breach; this is an increase on the 2014 and 2013 figures.

59% of respondents expect there will be more security incidents in the next year than last.
The majority of UK businesses surveyed, regardless of size, expect that breaches will continue to increase in the next year. The survey found 59% of respondents expected to see more security incidents. Businesses need to ensure their defences keep pace with the threat.

The median number of breaches suffered in 2015 by large and small organisations has not moved significantly from 2014. 14 for large organisations and 4 for small businesses is the median number of breaches suffered in the last year.

Cost of breaches continue to soar

The average cost of the worst single breach suffered by organisations surveyed has gone up sharply for all sizes of business. For companies employing over 500 people, the ‘starting point’ for breach costs – which includes elements such as business disruption, lost sales, recovery of assets, and fines & compensation – now commences at £1.46 million, up from £600,000 the previous year.

The higher-end of the average range also more than doubles and is recorded as now costing £3.14 million (from £1.15 in 2014).

Small businesses do not fare much better – their lower end for security breach costs increase to £75,200 (from £65,000 in 2014) and the higher end has more than doubled this year to £310,800.

Organisations continue to suffer from external attacks

Whilst all sizes of organisations continue to experience external attack, there appears to have been a slow change in the character of these attacks amongst those surveyed. Large and small organisations appear to be subject to greater targeting by outsiders, with malicious software impacting nearly three-quarters of large organisations and three-fifths of small organisations.

There was a marked increase in small organisations suffering from malicious software, up 36% over last years’ figures.

69% of large organisations and 38% of small businesses were attacked by an unauthorised outsider in the last year, up from 55% a year ago and slightly up from 33% a year ago for SMEs.

Better news for business is that ‘Denial of service’ type attacks have dropped across the board, continuing the trend since 2013 and giving further evidence that outsiders are using more sophisticated methods to affect organisations.

You can find the research at: 2015 Information security breaches survey .