Smashing Security podcast #258: Tesla remote hijacks and revolting YouTubers

Read Time:20 Second

Carole’s still on jury service, but the show must go on! We take a look at how some Tesla owners are at risk of having their expensive cars remotely hijacked, and why YouTubers are up in arms over NFTs.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault.

Read More

Applications Open for Next NCSC for Startups Cohort

Read Time:2 Minute, 3 Second

Applications Open for Next NCSC for Startups Cohort

Applications have opened for the latest NCSC for Startups program, which is focusing on companies developing products to protect SMEs from ransomware.

The program, designed to help the growth and development of the UK’s most promising cybersecurity startup firms, was launched last June. It is run by the National Cyber Security Centre (NCSC) and Plexal, and is a successor to the successful NCSC Cyber Accelerator program.

The first companies to participate in this new program were announced in August.

For its next cohort, NCSC for Startups is inviting applications from startups creating products designed to protect SMEs from surging ransomware attacks. Specifically, these are companies that:

Can defend SMEs from ransomware by providing accessible, low-cost protection
Encourage firms to implement secure backups to minimize the impact of an attack
Address risks posed by remote desktop protocol (RDP) as more businesses and individuals implement home and remote working

Cyber-criminals have dramatically increased their targeting of SMEs during the pandemic, with many of these businesses having to undertake rapid digital transformation projects. Yet many of these firms do not have the necessary cybersecurity skills or tools to protect themselves.

Successful applicants will receive continuous onboarding for 12 months, working with leading cybersecurity experts to develop, adapt and test their products.

Chris Ensor, deputy director for cyber growth at the NCSC, commented: “Ransomware presents the most serious cyber security threat to the UK, and it is vital that organizations protect themselves.

“Our latest NCSC for Startups challenge provides a great opportunity for innovative companies to collaborate with us in the fight against ransomware and strengthen the UK’s defenses.”

Saj Huq, director of innovation at Plexal, said: “Ransomware doesn’t just affect large, established companies: there is a growing risk to SMEs that make up the backbone of our economy, and anyone who lives and works online are potential victims.  

“This is a unique and game-changing opportunity for startups to work on the biggest cyber-threat around alongside experts from the NCSC and industry who are working day in, day out, to keep the UK safe – and I hope they respond to this call with a sense of urgency and mission.”

Interested companies can submit their applications at: https://www.ncsc.gov.uk/section/ncsc-for-startups/join-the-ncsc-for-start-ups.

The NCSC for Startups program forms part of the UK’s National Cyber Strategy, unveiled in December.

Read More

NFTs – Protecting the investment

Read Time:3 Minute, 1 Second

This blog was written by an independent guest blogger.

Non-fungible tokens (NFTs) are the new player in the financial investment market. They’ve seen tremendous interest from a wide range of parties, whether that be institutional investors or retail hobbyists looking to find an angle. As with anything involving money, malicious actors are already starting to take hold; Insider magazine recently highlighted the 265 Ethereum (roughly $1.1 million) theft due to a fraudulent NFT scheme.

Just as cybersecurity has needed frequent and substantial improvements to shore up the security scene, so have NFTs, and those who purchase them. Funnily enough, the key to protecting NFTs is first understanding their financial liability and the laws governing them.

Governmental regulations

Cryptocurrency has been subjected to a rapidly changing balance of laws for the government to try and control it through regulation. NFTs are much the same; while they have entered the market as a form of ultra-modern art exchange, they are still financial instruments. As a result, buyers and sellers have been hit with unexpected fines and seizures by the government due to a poor understanding of the rules. Indeed, Vice recently reported that the US tax authorities had placed sanctions on 57 cryptocurrency addresses and one popular exchange due to their connections with money laundering.

Protecting yourself in this regard comes down to two, fairly basic, steps. Firstly, understand that NFTs are not a currency or simply a piece of art. They remain assets according to the IRS rules, which means they are subject to the capital gains tax. All NFT exchanges must satisfy this rule. Secondly, make sure to use reputable exchanges. Do thorough research on your exchange, make sure they are fully regulated, and protect your own wallet.

Protecting your wallet

NFTs are cryptocurrencies, and so their security is the same as the security of the crypto wallet. Cryptocurrency wallet theft is no small issue. Figures analyzed by Forbes highlight the sheer scale of wallet hacks, with one recent attack gaining notoriety after it extracted $600 million in Ethereum.

A well-protected cryptocurrency wallet has three main features. Firstly, its owner practices good digital hygiene – keep your credentials secure and use multi-factor authentication. Secondly, it has backups – physical data, such as an external hard drive, is a good idea. Lastly, smart cryptocurrency defense relies on using good quality cybersecurity tools on any device where you are dealing with your cryptocurrency sales, with a firewall and antivirus as a minimum.

Staying ahead

Updates are a crucial factor in any effective anti-malware system. As The Verge highlights, white hat operators have recently helped to patch huge vulnerabilities that enabled the illegal seizure of NFTs through the gifting of NFTs through scam schemes. Proper protection of this ilk requires user awareness and the dedication of programmers. It’s essential to proactively patch vulnerabilities before they can become an issue that will result in wide-scale thefts of NFTs or the overall degradation of market assurance.

On a personal basis, once again, researching the market and looking to keep an eye on emerging threats and trends will help to bridge this gap. Sometimes even having one eye on the trend can create the small amount of awareness needed to avoid a scam.

NFT protection is, then, similar to protecting any other digital financial asset. The fact that NFTs are presented as art is something that is misleading when it comes to effectively creating protections for them against hackers. Treat NFTs like their source technology, cryptocurrency. This can help ensure that they retain their protections and are secure against malicious actors.

Read More

Twitter Mentions More Effective Than CVSS at Reducing Exploitability

Read Time:1 Minute, 38 Second

Twitter Mentions More Effective Than CVSS at Reducing Exploitability

Monitoring Twitter mentions of vulnerabilities may be twice as effective as CVSS scores at helping organizations prioritize which bugs to patch first, according to new research.

Kenna Security’s latest reportPrioritization to Prediction, Volume 8: Measuring and Minimizing Exploitability, was compiled with help from the Cyentia Institute.

It confirmed what many security experts have been saying for some time: the sheer volume of CVEs discovered today means organizations must get better at prioritizing which vulnerabilities to fix.

Although an average of 55 bugs were discovered every day in 2021, the good news is that only 4% posed a high risk to organizations, according to the research. It went further, claiming that 62% of the vulnerabilities studied had a less than a 1% chance of exploitation, while only 5% exceeded a 10% probability.

To arrive at its findings, Kenna Security used an industry-devised Exploit Prediction Scoring System (EPSS), which uses CVE information and real-world exploit data to predict “whether and when” vulnerabilities will be exploited in the wild.

Not all vulnerability management strategies are created equal, argued Kenna Security co-founder and CTO, Ed Bellis.

“Prioritizing vulnerabilities with exploit code is 11 times more effective than CVSS scores in minimizing exploitability. Mentions on Twitter, surprisingly, also have a much better signal-to-noise ratio than CVSS (about two times better),” he wrote.

“We also learned that, given the choice, it’s far more effective to improve vulnerability prioritization than increase remediation capacity … but doing both can achieve a 29-times reduction in exploitability.”

Bellis concluded that prioritizing bugs via exploitability rather than technical CVSS scores is “the strategy of the future” and one that US government security experts appear to be taking.

“The data shows that taking this more measured approach of prioritizing exploitability over CVSS scores is the way to go and the recent Cybersecurity and Infrastructure Security Agency (CISA) directive agrees,” he argued.

Read More

Eleven Arrested in Bust of Prolific Nigerian BEC Gang

Read Time:1 Minute, 52 Second

Eleven Arrested in Bust of Prolific Nigerian BEC Gang

Nigerian police have arrested 11 more suspected members of a prolific business email compromise (BEC) gang that may have targeted hundreds of thousands of organizations.

Interpol coordinated Operation Falcon II with the Nigerian Police Force (NPF) over 10 days in December 2021, having sought input from other police forces across the globe investigating BEC attacks via its I-24/7 communications network.

Those arrested are thought to be part of the Silver Terrier (aka TMT) group. One individual had the domain credentials of 800,000 potential victims on his laptop, while another was monitoring online conversations between 16 companies and their clients and diverting funds to TMT, Interpol claimed.

A third is suspected of BEC attacks across West Africa, including Nigeria, Gambia and Ghana.

Any intelligence and evidence gleaned from the operation will be fed into Interpol’s Global Financial Crime Taskforce (IGFCTF) to help prevent further fraud.

“Operation Falcon II sends a clear message that cybercrime will have serious repercussions for those involved in business email compromise fraud, particularly as we continue our onslaught against the threat actors, identifying and analyzing every cyber trace they leave,” said Interpol director of cybercrime, Craig Jones.

“Interpol is closing ranks on gangs like SilverTerrier. As investigations continue to unfold, we are building a very clear picture of how such groups function and corrupt for financial gain. Thanks to Operation Falcon II we know where and whom to target next.”

The first iteration of this anti-BEC campaign was run in 2020 and resulted in the arrest of three TMT suspects. The gang was thought to have compromised as many as 500,000 victim organizations by that time, according to Group-IB, which was involved in both operations.

“Group-IB’s APAC Cyber Investigations Team has contributed to the current operation by sharing information on the threat actors, having identified the attackers’ infrastructure, collected their digital traces and assembled data on their identities,” it explained in a statement.

“Group-IB has also expanded the investigation’s evidence base by reverse-engineering the samples of malware used by the cyber-criminals and conducting the digital forensics analysis of the files contained on the devices seized from the suspects.”

Read More

Red Cross: Supply Chain Data Breach Hit 500K People

Read Time:1 Minute, 42 Second

Red Cross: Supply Chain Data Breach Hit 500K People

The International Committee of the Red Cross (ICRC) has revealed a major data breach that compromised the personal details of over 515,000 “highly vulnerable” victims.

It was stolen from a Swiss contractor that stores the data on behalf of the global humanitarian organization headquartered in Geneva.

The ICRC claimed it originated from at least 60 Red Cross and Red Crescent National Societies worldwide.

Some of the most vulnerable members of society are affected, including individuals separated from their families due to conflict, migration and disaster, missing persons and their families and people in detention, it added.

“An attack on the data of people who are missing makes the anguish and suffering for families even more difficult to endure. We are all appalled and perplexed that this humanitarian information would be targeted and compromised,” said Robert Mardini, the ICRC’s director-general.

“This cyber-attack puts vulnerable people, those already in need of humanitarian services, at further risk.”

There’s no indication the information has been shared publicly yet, but that’s no guarantee it won’t be in the future. That’s why Mardini pleaded with the threat actors not to leak or sell the spoils of its attack.

“Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering,” he said.

“The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data.”

Given financially motivated cyber-criminals have targeted hospitals with ransomware in the past, there’s certainly no guarantee that Mardini’s words will be heard. Nor is it clear whether it was a criminal rather than a state-sponsored attack.

As a result of the attack, the ICRC said it had been forced to shut down its Restoring Family Links service, which it claims reunites 12 missing people on average with their families every day.

Read More

BadUSB explained: How rogue USBs threaten your organization

Read Time:57 Second

In January 2022, the FBI issued a public warning over a USB attack campaign in which numerous USB drives, laced with malicious software, were sent to employees at organizations in the transportation, defense, and insurance sectors between August and November 2021. The USBs came with fake letters impersonating the Department of Health and Human Services and Amazon, sent via the U.S. Postal Service and UPS. The campaign has been dubbed “BadUSB,” and the FIN7 hacker organization has been named as the culprit. Here is what you need to know about BadUSB and mitigating the risks of this USB attack.

BadUSB definition

“The BadUSB attack provides the victim with what looks like a physical USB stick and a lure to plug it into the victim’s system, such as promising a gift card as a thank you or invoices that need to be processed,” explains Karl Sigler, senior security research manager at Trustwave SpiderLabs. His malware research team initially discovered the campaign in 2020 while examining a malicious thumb drive as part of a forensic investigation for a U.S. hospitality provider.

To read this article in full, please click here

Read More

What CISOs can learn about insider threats from Iran’s human espionage tactics

Read Time:49 Second

Over the last few months, there has been an uptick of espionage revelations concerning Iran and its interest in collecting information against regional adversaries as well as Iranian ex-pats whose views are divergent to those of the current regime. It is important for CISOs to understand the human side to the Iranian offensive efforts to gather information of interest.

Iran recruits eyes within Israel

In mid-January Israel’s Shin Bet (internal security service) revealed four Israeli women had been arrested for espionage, having been successfully recruited by Iranian intelligence via Facebook. The women, all of Iranian descent, were contacted by an individual who identified himself as Rambod Namdar, who claimed to be a Jewish man living in Iran. The modus operandi is one that has been seen many times before: Establish contact via a social network and then daisy-chain the contact to a seemingly more secure communication medium, in this case, WhatsApp.

To read this article in full, please click here

Read More

INTERPOL and Nigerian Police bust business email compromise ring, arrest 11

Read Time:27 Second

INTERPOL and the Nigerian Federal Police today announced the arrests of 11 business email compromise (BEC) actors in Nigeria as part of an international operation to disrupt and tackle sophisticated BEC cybercrime. Many of the suspects are thought to be members of SilverTerrier, a network known for BEC scams that have impacted thousands of companies globally. The results are the latest example of industry and law enforcement efforts to thwart BEC activity, the most common and costly cyberthreat facing organizations.

To read this article in full, please click here

Read More

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

Read Time:31 Second

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

Read More