Viewing entries tagged
CYBERSECURITY

Comment

NCSC - Weekly Threat Report 22nd June 2018

This report is drawn from recent open source reporting. 

Football or Phishing?

At least two phishing campaigns are taking advantage of this year’s football World Cup.

Fraudsters are attempting to exploit fans’ eagerness to keep up with the games and the results in the expectation that fans might click on links more readily.

Phishing emails are reported to be sending fixture schedules and results mappers to fans, but the links are loaded with adware and malware.

In another example, fraudsters are offering a pair of Adidas shoes in exchange for completing a survey. The victim is then redirected to a fake Adidas website asking them to pay a small fee to receive the shoes (and an ongoing monthly charge, which is hidden in the small print).

The fake Adidas site uses homographic web links, where a character is replaced by a similar looking symbol:

  • Example 1: www. thisisarealwebsite .org.com
  • Example 2: www. thisisarea|website .org.com

The letter ‘l’ in the second website name is a symbol, but at a quick glance it is not immediately obvious. Fraudsters are increasingly using this technique and we advise readers to study web links carefully before clicking on them.

The NCSC has further information on how to protect yourself from phishing scams here. Keeping your antivirus software up to date will, in most cases, help identify any malicious files that you attempt to download. For further support, please read 10 Steps to Cyber Security.
 

Is your device earning money for cyber criminals?

Recent reports have suggested a substantial increase in ‘cryptojacking’, where cyber criminals install malware onto a victim’s devices and use them to mine cryptocurrency.

Cryptojacking malware is reportedly becoming harder to detect and sometimes operates to coincide with times where the device is not normally used, and thus remains undetected.

This type of malware is increasingly being found on devices across multiple sectors and is evolving to use the processing power of internet-connected devices, such as TVs. Some aggressive mining malware has also been found to damage devices.

In response to the increase in cryptomining, Apple has recently introduced App Store guidelines prohibiting it. It is uncertain whether other providers will follow.

Cryptomining malware is a low-cost method of earning money and cyber criminals will almost certainly continue to develop and adapt it, as long as cryptocurrencies are of value.

To prevent the installation of criminal malware, please follow the NCSC’s advice and guidance.


Attackers target cryptocurrency software

On 15 June, Syscoin, a cryptocurrency that advertises its instant transactions, announced that its Github account had been compromised just under a week earlier.

An unknown user had uploaded a modified version of the program containing malicious code. The software was otherwise identical to the original program but was detected by Windows Defender SmartScreen due to its lack of signature. As the code had been modified it was no longer recognised as legitimate and designated as being from an 'unknown publisher'.

Github consequently advised developers of cryptocurrencies and other software to implement two factor authentication (2FA) on their accounts where possible. Developers were also advised to check the integrity of published software on repository sites.

Users should be cautious when downloading from online sources. It is good practice to maintain up-to-date antivirus software and avoid software from unknown publishers.

The number of systems infected by the malicious code – and the exact method used to compromise the account in this instance – are not known. The account breach demonstrates the continuing threat posed to cryptocurrency software by attackers exploiting the cryptocurrency boom.

The NCSC has issued guidance on 2FApassword managementmitigating the threat of malwareand identity authentication.

The NCSC website also maintains a general guide on measures to improve security online.


Good cyber hygiene can help fend off LokiBot

Fraudulent account activity and identity theft are some of the most common threats on the internet. Cyber criminals often use credential-stealing malware to obtain usernames and passwords.

Armed with a victim’s credentials, criminals can access their online accounts, including social media or online banking, most often with the intent of making fraudulent payments.

LokiBot, one type of credential-stealing malware, can harvest credentials from browsers, file transfers and even cryptocurrency wallets, and is primarily distributed through malicious Microsoft Office documents attached to spam emails.

Good cyber hygiene is important in mitigating malicious software such as Lokibot, and users should ensure they apply recommended security updates and use antivirus software.

Additional security features such as the use of two factor authentication (2FA) for online accounts significantly reduces the risks users face.

Members of the Cyber Information Sharing Partnership (CiSP) can view the advisory.

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 18th May 2018

It’s not just production that needs securing

Most large companies will use an online development environment to build and test code prior to deployment on outward and inward facing networks.

Much of the code found in development environments is sensitive and critical to running and managing a business. The unauthorised disclosure of code could allow cyber actors to identify exploitable weaknesses.

Recent open source reporting has highlighted a compromise of a company’s development environment, resulting in unauthorised access to two million lines of code, application programme interfaces and secret access keys to Amazon Web Services.

A security researcher allegedly gained access to the development environment because both the username and password were set to “admin”, which was most likely the default setting for the environment.

The latest incident follows on from other reported incidents around insecure repositories and third party storage solutions, where users have failed to alter the default settings and/or configure the environments incorrectly and subsequently exposed large volumes of sensitive data.

The failure to secure development environments poses a number of threats to an organisation including:

  • Stealing of sensitive information (such as encryption and access keys, passwords, knowledge of security controls or intellectual property)
  • An attacker embedding malicious code in your project without your knowledge
  • Using a compromised development device as a proxy to further attack your build and deployment pipeline, through to production
  • Understanding how your sensitive applications work - a first step in the planning of an attack

The NCSC has previously issued guidance on securing development environments as well as approaching enterprise technology with cyber security in mind.


GDPR-inspired phishing scams

The imminent arrival of the new EU General Data Protection Regulation (GDPR) has gifted scammers with a new hook for sending phishing emails.

Many internet users are now receiving emails from organisations that they have online dealings with, explaining the new regulations and asking them for permission to carry on storing their information.

Scammers have taken advantage of this to send fake GDPR-themed emails in an attempt to spread malware or steal personal data.

Apple customers, for example, have been sent a link advising users that their accounts had been “limited” due to unusual activity and then asking them to update their security information.

Users are then directed to a fraudulent webpage where they are asked to input security information. Once this has been completed, users are then directed back to a legitimate Apple web page.

The scammers also used Advanced Encryption Standard (AES) protocols when directing users to the page controlled by them, bypassing anti-phishing tools embedded in some antivirus software.

GDPR comes into effect on 25th May 2018, so the scammers have a short window in which to use GDPR as cover for their activities.

The NCSC has published phishing guidance and you can also read the GDPR security outcomesthat have been developed by the NCSC and the Information Commissioners Office (ICO). The ICO is the UK's supervisory authority for the GDPR and has published a lot of helpful guidance on its website.

Comment

.author-name { display: none; }

Comment

NCSC - Countdown to GDPR

Anybody who is involved in cyber security or data protection will be acutely aware that the General Data Protection Regulation - better known simply as GDPR - comes into force on Friday (the 25th of May). We have worked very closely with the Information Commissioners Office (ICO) to develop a set of a set of GDPR Security Outcomes, which we published last week. 

GDPR and cyber

If you have tried to read and understand the relevant articles described in the Regulation, well done. I personally have found it really hard work to break it apart, summarise what security measures it really seeks, and then overlay good cyber security practice to meet those requirements. Thankfully, the ICO really do understand the detail, and so we have worked together to describe what the regulation requires and provide an overview on what sorts of cyber security measures we expect those organisations processing personal data to have in place. We have published this work as a set of Security Outcomes required for GDPR, together with some relevant overarching GDPR information. Whilst we have a shared interest with the ICO on cyber security, of course they are the lead for the GDPR and you should consult their website for any general GDPR questions or needs that you might have.

What GDPR says about cyber

Now I'm going to quote parts of the Regulation here  - so bear with me - but I will give some context as well.

There is an overarching requirement that basically says that you need to protect personal information. It states that personal information must be:

"processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures"

The key thing to note here is that personal information being correct and available is in scope - not just protecting its confidentiality.

One thing that I personally like in the GDPR (OK so it's a little bit nerdy to have a favourite part of data protection legislation) is that it specifically requires organisations to think about security as you design services as well as at the point when processing happens. It means that services must be designed with security in mind from the outset, and that you have to keep them secure through the whole lifecycle. You can't just develop services and allow security debt (when security corners are cut to meet to meet business delivery) to accumulate.

The Regulation refers in a number of places to:

"appropriate technical and organisational measures"

It emphasises that you need to take a risk managed approach to security that is influenced by the risk to the individuals whose data you are processing, the state of the art (of technology) and cost. 'Appropriate' really does depend; we understand that saying 'it depends' can be really frustrating and people need a bit more certainty than that. Whilst the GDPR takes this 'it depends' approach, we have worked with the ICO to develop Security Outcomes that we would jointly expect any organisation to meet.

What are Security Outcomes?

As the name suggest these are outcomes that any organisation should seek to achieve with regards to cyber security. They do not themselves carry mandatory status, although they are our joint approximation of what appropriate means under the Regulation. You'll find that the outcomes do not say precisely what to do with regards to cyber security. That's deliberate as it's not for us (neither the NCSC nor the ICO) to tell you what technologies to use, nor to limit your choices in how you chose to protect them. Equally we need the outcomes to work for organisations of many sizes and complexity. Overall this was probably the hardest challenge and we'd like to hear your feedback if there are areas that don't quite work (and the reasons of course).

As we wrote the outcomes, we attempted to define the minimal set of measures that represent decent practice with regards to security. We do not believe we have described anything that is unreasonable, or should be surprising to you. Again let us know if you feel this isn't the case. Defining what we believe to be good practice means that existing guidance remains appropriate and can help you design measures that meet the outcomes. There is a lot of existing material  - including our own Small Business Guide and ICO's guidance on GDPR - which you may find helpful.

We know that good security isn't just about putting technical mitigations in place. The outcomes are aligned to 4 top level aims which cover how you manage security, protecting personal data from cyber attack, detecting incidents and minimising the impact if an incident does happen. 

Existing schemes and certifications

I'm asked a lot whether having Cyber Essentials means you are compliant with the GDPR cyber security requirements. Certainly having Cyber Essentials certification is a good thing and it will show that you take protecting yourself from cyber attack seriously. I wholeheartedly recommend it but there are other areas, outside the scope of Cyber Essentials, where you need to protect personal information too. A good example might be protecting data at rest on a laptop. The same logic applies to other certifications you might have; they are part of the picture, but you must still ensure that you are comprehensively protecting personal data.

If something goes wrong

Occasionally even the most diligent organisation might experience a security incident. The whole approach of the GDPR is based on managing risk, not avoiding all risk. The fact that some of our Security Outcomes describe detecting events and minimising the impact should underline this. If you are (or think you are) subject to an incident that involves personal data then you are likely to be obliged to report this to the ICO. They have published guidance on their website to help you understand what you should report, and by when.

Ian M

Principal Technical Director, Risk Management Capability

Comment

.author-name { display: none; }

Comment

NCSC - Weekly Threat Report 27th April 2018

Cost of ransomware attack on Atlanta

As reported in the Weekly Threat Report of 6 April 2018, the US city of Atlanta recently fell victim to an attack by the SamSam ransomware, which exploits a vulnerability in Java servers.

New reports indicate the city spent in the region of $2.66m responding to the attack. Costs included incident response, recovery and crisis management, but the city did not pay the ransom demand, reported to be approximately $55,000. There was also a broader cost in terms of the disruption the attack brought to city-wide services, with residents unable to pay bills and parking tickets as the city’s self-service portal was taken offline.

This case highlights the costs to organisations of ransomware attacks. However, paying a ransom does not guarantee that data will be returned and access to files restored. Nor does paying a ransom prevent a future attack; indeed, it may encourage further attacks.

Investment in cyber security can reduce the likelihood of malware infection and prevent the need for costly clean-up operations.

The NCSC has issued guidance on mitigating ransomware and other forms of malware.
 

Iran and India ban cryptocurrencies

Iran’s central bank has banned Iranian banks, credit institutions and currency exchanges from selling or purchasing digital currencies. It says cryptocurrencies, like Bitcoin, are used in money-laundering and financing terrorism, and that they are inherently unreliable and risky.

The same concerns are expressed widely around the world, including by the Chief of the International Monetary Fund, but many also believe digital currencies and the technology behind them could have a positive effect as a low-cost payment method.

Iran’s actions follow similar decisions by other central banks, such as the Reserve Bank of India’s decision in April to serve three months’ notice for entities they regulate to cease dealing in digital currencies.

The central bank decisions have been concerning for digital currency users in these countries (reportedly around five million in India), but it is too early to say whether these actions will last, have any long-term impact on the wider cryptocurrency market or whether other countries will follow suit.

Some countries are debating the regulation of digital currencies: Japan has recently created a regulatory body for its cryptocurrency exchanges, for example, and others have considered creating their own state-backed digital currencies.

The future of digital currencies is still unknown, which is a major contributing factor to their price volatility, but they are likely to be with us for the foreseeable future.

Comment

.author-name { display: none; }