Cyber Weekly Flash Brief 21 August 2020: Uber infosec exec charged with cover-up, 50% anti-malware products fail, WFH security breach surge, 40% of firms sacked staff for cyber breaches during Covid
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Former Uber security executive charged with data breach cover-up
Uber’s former chief security officer has been charged with obstruction of justice over accusations that he attempted to cover up a 2016 hack of the company, which exposed the personal details of 57m users and drivers.
Prosecutors said Joseph Sullivan, 52, hid the breach from the relevant authorities, and instead paid a ransom to the hackers and had them sign non-disclosure agreements stating, falsely, that they had not stolen personal information.
“The agreements contained a false representation that the hackers did not take or store any data,” prosecutors said in a press release. “When an Uber employee asked Sullivan about this false promise, Sullivan insisted that the language stay in the non-disclosure agreements.”
Mr Sullivan, who worked at Facebook prior to Uber, is said to have authorised the payment to the hackers of $100,000 in bitcoin, disguising the fee as coming via the company’s legitimate “bug bounty” programme — normally used to pay well-intentioned cyber security experts for discovering flaws and vulnerabilities.
It was not until November 2017, almost a year after Mr Sullivan allegedly knew the attack took place, that Uber revealed its knowledge of the breach and Mr Sullivan was dismissed.
Why this matters?
Not only was a criminal act conducted against Uber but a further criminal act was then conducted within the firm to cover it up. This shows what is at stake, that people will go to lengths to cover things up and that strong governance is needed and appropriate controls, and rewards, need to be in place across the organisation to encourage good behaviours.
Read more: https://www.ft.com/content/aff1fe76-418e-4f93-ba27-5a3c888c4252
Half of anti-malware products fail to recognize notable threats
Many of the most popular, well-established cyber security solutions do not protect their users from all notable threats, according to new analysis from SE Labs.
The security firm tested 14 of the world’s most popular cyber security solutions and, while products from Microsoft and Kaspersky Lab scored 100 percent, more than half failed to identify all threats.
"While the numbers of 'misses' are not out of this world, it's disappointing to see big brand products miss well-known threats," said Simon Edwards, CEO at SE Labs.
"Although we do 'create' threats by using publicly available free hacking tools, we don't write unique malware so there is no technical reason why any vendor being tested should do poorly."
According to SE Labs, the firm used common threats that affect the general public to conduct the tests, as well as more targeted forms of attack.
"In some cases the bad guys actually help us out, by sending our own organization the same types of malware that they use to target other potential victims. The Emotet malware campaign that ran in July of this year was a notable example," Edwards added.
With the Covid-19 pandemic forcing employees to remain at home, it has never been more important to protect devices and data from cyberthreats. Businesses and consumers alike are advised to keep their operating systems, applications and cybersecurity solutions up to date.
Why this matters:
Many firms put too much faith in technical controls, yet reports like this prove the point that technical controls are not as good as many people believe.Technical controls, even the best technical controls, only go so far when information security is a whole of business risk and people controls are needed in addition to technical controls to keep a firm safe.
Read more: https://www.itproportal.com/news/half-of-anti-malware-products-fail-to-recognize-notable-threats/
Hundreds of millions of Instagram, TikTok, YouTube accounts compromised by data breach
Security researchers have discovered an exposed database online which contains scraped data from the social media profiles of nearly 235m Instagram, TikTok and YouTube users.
For those unfamiliar with the practice, web scraping is an automated technique used to gather data from websites that is often employed by analytics firms who use it to create large databases of user information. Although the practice is legal, it is strictly prohibited by social media companies as it puts the privacy of their users and their data at risk.
Researchers discovered three identical copies of the exposed database online at the beginning of August. After examining the database they learned that it belonged to a company called Deep Social which has shut down its operations.
Why this matters
Big beaches like these, where data has been taken from different sources, breaches and public databases, can give attackers an incredible amount of data on you, probably enough to then start attacking your home or your employer. Even as far as identity theft type attacks.
Working from home causes surge in security breaches, staff 'oblivious' to best practices
The COVID-19 pandemic shows little sign of slowing down, and for many businesses, employees are still working remotely and from home offices.
While some companies are gearing towards reopening their standard office spaces in the coming months -- and have all the challenges associated with how to do so safely to face -- they may also be facing repercussions of the rapid shift to remote working models in the cyber security space.
In the clamor to ensure employees could do their jobs from home, the enterprise needed to make sure members of staff had the right equipment as well as network and resource access.
However, according to Malwarebytes, the rushed response to COVID-19 in the business arena has created massive gaps in cyber security -- and security incidents have increased as a result.
On Thursday, the cyber security firm released a report (.PDF), "Enduring from Home: COVID-19's Impact on Business Security," examining the impact of the novel coronavirus in the security world.
Company telemetry and a survey conducted with 200 IT and cyber security professionals suggest that since the start of the pandemic, remote workers have caused a security breach in 20% of organisations.
As a result, 24% of survey respondents added that their organizations had to pay unexpected costs to address cyber security breaches or malware infections after shelter-in-place orders were imposed.
Why this matters:
Months into this pandemic and staff working from home many staff are still oblivious to what they should and should not be doing and some firms are not doing a good enough job of getting their staff to appreciate the role they playing in helping to keep their firm’s safe.
Two-fifths of firms have sacked staff for cybersecurity breaches during Covid, poll shows
Almost two-fifths of business decision-makers (39 per cent) have dismissed employees because of a cyber security policy breach since the pandemic began, a survey has found.
The research polled 200 UK business decision-makers and found more than half (58 per cent) of firms believed that working from home made employees more likely to circumvent security protocols – including through the use of personal laptops and failing to change passwords.
To combat poor employee security practices, more than half (55 per cent) of those surveyed had banned, or planned to ban, staff from using personal devices to work from home.
Meanwhile, 57 per cent were implementing more measures to securely authenticate employees, including biometric data checks such as fingerprint and facial recognition technology, and multi-factor authentication steps to access certain files, applications and accounts.
The poll found that almost two-thirds (65 per cent) had made substantial changes to their cybersecurity policies in response to breaches and to Covid-19.
Why this matters:
It is imperative employers revisited their data security protocols in light of widespread home working. Employers need to communicate that the same principles of data protection apply at home as in the office, including that a breach could lead to severe disciplinary action. The importance of securing data and directing employees accordingly cannot be underestimated as the employer could find themselves responsible for significant data breaches if they have not taken appropriate steps to protect it.
Separately, a report by recruitment firm Robert Walters has found that up to 65,000 cyber attacks take place on UK SMEs every day, with 4,500 successful. The report, Cyber security: Building Business Resilience, found that almost half (48 per cent) of UK companies admitted to not having adequate cyber security provision to maintain a fully remote working model.
We are at the mercy of Google's cloud services – and it could cost us dearly
If the internet is our information superhighway, this week's mass outage of Google services represents the sudden and total closure of the M25.
Users up and down the country who rely on the system for their livelihoods found themselves confronted with the simple Gmail message: “Oops, something went wrong”. It was the digital equivalent of the Road Closed sign.
Such is the public and private sector’s dependence on software services provided by Google and its rivals Amazon, Microsoft and Alibaba that the five-hour outage will likely be felt at GDP level.
Never mind the frustration felt by hundreds of thousands of homeworkers, think of all the lost opportunities from meetings unattended, the lost confidence from work unsent and the lost productivity from reduced output.
It all adds up: a temporary internet shutdown costs an advanced economy like Britain’s £107m per day according to a report from Deloitte and Facebook into the economic impact of disruptions to connectivity.
That’s equivalent to 1.9 per cent of daily GDP. A big hit, especially in a recession when companies small and large are fighting for their lives and public services are stretched to the limit.
Why this matters
Firms are increasing reliant on a small number of providers and a loss of any one of those providers could have serious ramifications for any business operating online. It is always best to diversify your critical systems across different providers such that a loss of one does not have such wide reaching impact.
Four million Britons with Huawei phones risk their devices becoming obsolete
Up to four million British consumers could be stuck with increasingly useless and vulnerable Huawei mobiles after the Chinese firm was blocked from receiving future software updates due to US sanctions.
The crisis-hit company's phones are in danger of rapidly becoming obsolete following the expiry of a temporary licence allowing it to use apps and Android updates from Google - raising fears they could become increasingly slow and laden with bugs.
Huawei is at risk of being unable to renew the licence after being blacklisted by the Trump administration in May last year, with US companies barred from selling technology to it without explicit government approval.
As a result, Huawei phones using Google Mobile Services could stop getting new features and security updates from the US company.
The US claims that Huawei equipment can be used by the Chinese government for espionage – something which Huawei has repeatedly denied. Older Huawei phones, developed before May 2019, are still expected to have the support of critical security features.
Why this matters:
Security updates need to rolled out to keen devices and software secure once vulnerabilities have been found and fixed by vendors. If Huawei phones are no longer able to receive these security updates any vulnerabilities in the underlying operating system will be able to continue being exploited by cyber criminals or ironically nation state actors.
HMRC Investigating Over 10,000 COVID-Related Phishing Scams
More than 10,000 email, SMS, social media and phone scams exploiting the COVID-19 pandemic are being investigated by Her Majesty’s Revenue and Customs (HMRC) in the UK.
The official figures, published following a Freedom of Information (FOI) request highlight how the health and economic crisis has provided major scamming opportunities for cyber criminals.
The data showed that May was the month in which the highest number of phishing scams were reported by members of the public to HMRC, at 5152, representing a 337% rise compared to March when lockdown measures were first introduced in the UK. This was followed by 2558 reports in June, and 2105 in April. The total since March comes to 10,428.
Government programs introduced to support businesses and workers impacted by the lockdown have been a common target for scammers. Examples include an email purporting to be from HMRC regarding the government’s Coronavirus Job Retention Scheme, which attempted to get business owners to reveal their bank account information, while another offered a bogus tax rebate under the guise of the Self-Employment Income Support Scheme.
The FOI also showed that 106 COVID-related websites have been requested for removal since March, with April the highest month at 42, followed by 24 in May and 17 in March. In May, it was revealed that HMRC formally asked internet service providers (ISPs) to remove 292 scam web addresses exploiting the coronavirus outbreak.
Why this matters:
Cyber criminals will always take advantage of current events, crises and tragedies to exploit unsuspecting victims. This has never been so evident as with the current Coronavirus pandemic, especially with the shift to more staff working from home.
Read more: https://www.infosecurity-magazine.com/news/hmrc-investigating-covid-related/