Spanish bank highlights danger of political use of DDoS
Following news this week that the website of Banco de España, the central bank of Spain, was offline due to a DDoS attack claimed by hacktivist group Anonymous Catalonia, Andrew Lloyd, president at Corero Network Security, emailed SC Media UK to comment: "Whether you classify this as nation state or hacktivism, there seems little doubt that this is another example of DDoS being used to launch a politically motivated attack.
"Governments and their security agencies across the western world have been warning of the risk that DDoS poses to critical national infrastructure. The success of this attack should serve as a warning to others who may have underestimated the risk posed by today’s DDoS attacks.
"The recent guidance from the Bank of England (BoE) requires banks to have the cyber-resilience to "resist and recover" with a heavy emphasis on "resist". The BoE guidance is a modern take on the old adage that "prevention is better than cure". Whatever protection the Bank of Spain had in place to resist a DoS attack has clearly proven to be insufficient to prevent this outage."
100 days on from GDPR
GDPR enforcement is 100 days old tomorrow (1 September). John Buyers, a partner specialising in artificial intelligence at international legal practice Osborne Clarke, emailed SC Media UK to note how he believes that despite aiding consumers, it has hit a roadblock in terms of artificial intelligence:
"GDPR has certainly been an important step in the right direction for consumer rights within the European Union but when it comes to AI, the regulation hits a bit of a roadblock. For example, in any given scenario, we are currently technologically incapable of understanding how or why machine learning systems have come to the decisions they've come to - and that’s the problem when you’re applying GDPR principles. GDPR implicitly assumes that all technology is white box but that’s not necessarily the case. Machine learning solutions are inherently black box.
"Another issue with AI is that Article 22 of GDPR states that if you use automated decision making, you cannot rely on legitimate interest as a lawful basis for processing.
"So while the aims of the legislation are laudable, there is a wave of technological adoption in relation to machine learning that I think is unassailable, and it’s going to happen whether or not the GDPR is in place. Businesses, therefore, will need to be more creative in the way they tackle GDPR, and regulators will need to be more flexible in how they apply the principles under GDPR."
...And 500 days to go for the end of Windows 7
It is also exactly 500 days from tomorrow that Microsoft pulls the plug on Windows 7 and stops providing security updates - yet 64 percent of UK businesses reportedly don’t see the migration away from Windows 7 as a priority before the January 2020 deadline. That’s according to new research from Enterprise IT platform Kollective.
A survey of 130 UK businesses found 39 percent running Windows 7 across their organisations, while nearly 1 in 5 (17 percent) aren’t even aware of the end of support.
Despite the deadline, seven percent of UK businesses have no plans to migrate away from Windows 7. Only 21 percent of UK businesses have completed their migration to Windows 10. 21 percent will leave it up to individual employees to update and migrate their systems. Network issues mean that 29 percent of UK businesses must allow at least a month to roll out new OS and security updates.
Commenting on the findings, Jon O'Connor, solution architect at Kollective said, "While 500 days may seem like a long time, it took many businesses upwards of three years to transition from Windows XP to Windows 7. Although Microsoft has since streamlined the process, we are expecting similar migration timelines for Windows 10.
"For large enterprises, the key will be ensuring that the update can be rolled out automatically and at scale. Unfortunately our research suggests that many businesses simply don’t have the network infrastructure needed to achieve this simultaneous update, as such many will spend months – or even years – migrating their systems entirely.
Chinese hackers found targetting Japan and the west
Crowdstrike has released intelligence that indicates movements of a new Chinese based hacking group targeting Western organisations and Japan, with indications that it may be tied to the historic groups known as GOTHIC PANDA and STONE PANDA.
It says it has validated accusations made by unidentified blogging site IntrusionTruth that showed information around actors with ties to STONE PANDA activity that indicates movements of a new Chinese based hacking group targeting Western organisations and Japan.The Intrusion Truth group says its starting point for investigation was a domain name first published in FireEye’s Poison Ivy Report as a MenuPass (APT10) affiliated domain associated with hackers based in Tianjin, China.
Highlights of the research include:
Several of the named individuals have been active registering domains as recently as June 2018, and have shown signs of reaction to IntrusionTruth’s blog post.
Named individuals such as Zhang Shilong and Gao Qiang have significant connections to known Chinese hacking forums.
Huaying Haitai is named and identified as being connected to a Chinese Ministry of Industry and Information Technology (MIIT) sponsored attack and defence competition.
Huaying Haitai has previously hired Chinese students with Japanese language skills; this is significant, as STONE PANDA has engaged in several campaigns targeting Japanese firms.
Fiserv online banking flaw fixed - industry comment
Following reports by Brian Krebs that a flaw in a Fiserv web platform used by banks and credit unions to operate online exposed personal and financial details of customers, the company now says it has fixed the weakness in its web platform.
Adam Brown, manager of security solutions at Synopsys, emailed SC Media UK to comment: "While ultimately responsible for the software flaw that has allowed this vulnerability to surface across multiple financial institutions, what’s more alarming than Fiserv’s shortcomings in design is that this has not been unearthed by any of their customers. What happened to the basic activity of penetration testing? This is a super trivial flaw to identify and even the most junior web application penetration tester should be find it.
"To avoid this kind of issue Fiserv would have had to go back to their design. Web applications should never allow users to access objects or controls directly. Indirect object reference maps should be used. That knowledge would be part of basic security training all software engineers should go through.
"Fiserv may have some angry corporate customers, but ultimately the risk lies with those very organisations as the controllers of their own and their customer’s data. That said, it’s likely that Fiserv, as data processors, will also be held to account by privacy watchdogs."
Javvad Malik, security advocate at AlienVault adds: "This appears to be the case of oversight in the application development and testing phase. Being able to change a value in the URL to gain access to other accounts is a well-documented security flaw that should be avoided. Knowing of this vulnerability, it would have been trivial for an attacker to write a script that would automatically change the URL and harvest many customers details.
"It goes to highlight that small errors can slip through, even for large companies that are well-versed in security. It's good to see Fiserv was able to respond and create patch in a timely manner."
CEO impersonation leads BEC email fraud
Barracuda Networks has analysed over 3000 business email compromise attacks and found that in almost half of all cases (43 percent) of email impersonations the perpetrators pretend to be the CEO.
The number one objective of the cyber-criminal was to generate a wire transfer (46.9 percent), with the second most popular aim being to get the recipient to click on a malicious link (40.1 percent)
60 percent of the attacks did not include malicious links, but are a simple plain text email intended to fool the recipient to commit a wire transfer or send sensitive information. These plain text emails are especially difficult for many email security solutions to identify.
The CEO is the role most commonly impersonated (42.95 percent). The term ‘CEO fraud’ to describe BEC is therefore entirely justified.
Alternatively, the majority of recipients of these emails are in more junior roles - with 53.7 percent of recipients holding roles outside of the C-level and not operating in the sensitive departments of HR or finance.