Japan Cryptocurrency Exchange Coincheck starts refunds for $530m hack

The cryptocurrency exchange that fell to a hack of about $534 million in January this year has now started reimbursing the affected customers that lost fund in the hack.

In its blog post, Coincheck said that it will refund users as per its original compensation plan at the rate of 88.549JPY ($0.83) per NEM stolen and that to qualify for reparations, users must have held that amount of NEM on their platform at 23:59:59 JST on 26 January, 2018.

The total amount reimbursed will equal to about $420 million.

After the hack, Coincheck had imposed restrictions on trading and withdrawal of some cryptocurrencies on the exchange. The company is now going to lift some of these restrictions to allow for withdrawals and sales, according to another blog post.

It also said that it is working on evaluating the risks associated with each currency and will “confirm the technical security of our systems regarding these currencies in order to resume normal operations.”

The exchange also plans to resume deposits and purchases of all currencies, and open for new registrations once security and management systems have been updated.

“Once again, we would like to apologize for the inconveniences that the illicit transfer of NEM from out platform and the resulting suspension in services has caused our customers and anyone else affected by this incident. Thank you for your patience,” the company said in its blog post.

New report says IoT adoption heightens cybersecurity threat

A new report by Navigant Research says that due to the increasing adoption of Internet of Things (IoT) devices and systems, threats to cybersecurity are also increasing as attackers are given more numbers of “vectors and surfaces” to target.

The report looks at the state of IoT as a whole, not just its utilities, and addresses questions such as common vulnerabilities present in IoT settings, strategies for cybersecurity, global revenue forecast on IoT security, etc. It also examines regulatory frameworks shaping the market and steps that can be taken to minimize risk.

Oracle Chairman, Larry Ellison, says that companies are losing this cyber war and that, “Make no mistake, it’s a war.”

“The mushrooming number of IoT devices being deployed by utilities and other enterprises carries an obvious and growing security risk,” said Neil Strother, principal research analyst with Navigant Research. “Smart managers need a comprehensive strategy to stay ahead of potentially devastating threats to IoT assets.”

He added that managers can no longer rely on the “old-school reactive” approach but must instead adopt “latest proactive and predictive tools and methodologies to keep devices and systems safe.”

The report itself is aimed at utility security managers, enterprises, IoT cybersecurity solution vendors, investor groups, regulators, and other stakeholders.

Russian Hacking Group Targets The German Government’s Internal Communications Network

An infamous Russian hacking group known as Fancy Bear, or APT28, is by and large broadly considered responsible on account of a security breach in Germany's defence and interior ministries' private networks as affirmed by a government spokesman.

It is said to be behind the reprehensible breaches in the 2016 US election likewise including various cyber-attacks on the West. The group is accounted for to have targeted on the government's internal communications network with malware.

As per the reports by the DPA news agency the hack was first acknowledged in December and there may have been a probability of it lasting up to a year.

"We can confirm that the Federal Office for Information Security (BSI) and intelligence services are investigating a cyber-security incident concerning the federal government's information technology and networks," a German interior ministry spokesman said on Wednesday.

The group apparently hacked into a government computer system particularly intended to operate separately from other open systems i.e. public networks to guarantee additional security known as the "Informationsverbund Berlin-Bonn" (IVBB) network. The framework is utilized by the German Chancellery, parliament, federal ministries and a few security institutions.

Fancy Bear, also called Pawn Storm, is believed to run a global hacking campaign that is ", as far-reaching as it is ambitious" as indicated by a report by computer security firm Trend Micro.
Palo Alto Systems, a cyber-security firm, on Wednesday released a report saying that Fancy Bear now gives off an impression of being utilizing malevolent emails to target North American and European foreign affairs officials, incorporating a European embassy in Moscow.

"Pawn Storm” was even reprimanded for a similar attack on the lower house of the German parliament in 2015 and is likewise thought to have targeted on the Christian Democratic Union party of Chancellor Angela Merkel.

Authorities in the nation issued rehashed notices about the capability of "outside manipulation" in a last year's German election.

The hacking bunch has been linked to the Russian state by various security experts investigating its international hacks and is additionally known by certain different names including CozyDuke, Sofacy, Sednit and Tsar Group.

Chinese Hacking Groups target UK Think Tanks

Cybersecurity firm, Crowdstrike, says that UK think tanks are being repeatedly targeted by Chinese hacking groups. Crowdstrike says that beginning in April 2017, it saw repeated targeting of British think tanks specialising in international security and defense issues.

The firm said it has investigated the breaches and attributes these attacks to groups they call “Panda,” which Crowdstrike said are China-based and linked to the Chinese state.

Crowdstrike was reportedly called in by some of the think tanks to investigate the attacks, help in clean-up, and protect their security. According to a report by BBC, not all attacks were successful.

The company also said that in 2017, Chinese cyber activity increased all over the world, targets including universities, law firms, technology companies across the world.

According to Dmitri Alperovitch, Crowdstrike’s co-founder and CTO, think tanks that work on Chinese policy were targeted “very aggressively” in an attempt to steal reports and information relating to connections with the government.

He said that this was because they believe the think tanks are influential in US and UK, saying "they believe that they may have access to information which is not public.”

According to Alperovitch, the hackers would persist and try to get back in even after they had been kicked out.

Russia hacks Winter Olympics, shifts blame on North Korea

According to a report in Washington Post on Sunday, U.S. Intelligence has found that Russian military spies hacked several hundred computers used by authorities during the 2018 Winter Olympic Games in South Korea.

Over 300 Olympic-related computers were hacked early in February, continuing a string of cyber attacks in the Winter Olympics.

U.S. officials say that this was a “false-flag” operation, where they carried out the attack while making it appear as though North Korea was behind it by using North Korean IP addresses. Olympics confirmed at the beginning of the games that an attack had taken place but did not reveal who the attackers were.

The attack took down internet and WiFi access during the opening ceremonies on February 9th, as well the event’s website, and also case the failure of several other Olympic-liked websites and broadcast systems.

Due to the attack, many attendees were unable to print their tickets, leading to empty seats.

Some analysts believe that the attack was in retribution to Russia’s ban in the Winter Olympics after an investigation into doping violations by Russia.

However, Russia’s foreign ministry has denied Russia’s involvement in the attacks. "We know that Western media are planning pseudo-investigations on the theme of ‘Russian fingerprints’ in hacking attacks on information resources related to the hosting of the Winter Olympic Games in the Republic of Korea," it said.

Lee County Tax Collector’s email hacked

On Thursday, an email went out from the office of Lee County Tax Collector Larry Hart, sent by hackers having gained access to his email.

It has been reported that Hart was using a device out of his office and the device was compromised.

Lee County taxpayers are now worried that their information might have been compromised in the hack. However, Noelle Branning, Deputy Chief Tax Collector, said that because Larry Hart rarely emails taxpayers directly, they aren’t likely to have received the email.

"We don't think our taxpayers need to have any concern," Branning said. "Additionally, it doesn't appear that any taxpayer information has been compromised in any way."

While the office maintains that it does not seem that any information has been compromised, Branning cautions anyone opening an email from Hart to be careful.

"If it's an email coming from Mr. Hart containing an attachment or a link, no one should open the attachment, nor should they try to click on the link," said Branning.

Hart’s account has been disabled as a security measure and is undergoing a forensic exam. A cybersecurity professional is helping them get to the bottom of the hack. Meanwhile, an organisation-wide advisory has been sent to make them aware of the risk.

Other counties have also been warned of the possibility of a hack.

Advancing Ransomware Attacks and Creation of New Cyber Security Strategies

As ransomware is on the rise, the organisations are focusing too much on the anti-virus softwares rather than proactively forming strategies to deal with cyber-attacks which could pose as an indefinite threat to the users. Nevertheless one of the good advices to deal with this issue is the creation of the air-gaps, as through these it becomes quite easy to store and protect critical data. It even allows the offline storage of data. So, when a ransomware attack occurs, it should be possible to restore your data without much downtime – if any at all.

But it usually happens so that organisations more often than not find themselves taking one step forward and then one step back. As traditionally, the ransomware is more focused on backup programs and their associated storage but on the other hand it seems very keen on perpetually targeting the storage subsystems which has spurred organisations into having robust backup procedures in place to counter the attack if it gets through.

So in order for the organisations to be proactive it is recommended that they should resort to different ways to protecting data that allows it to be readily recovered whenever a ransomware attack, or some other cyber security issue, threatens to disrupt day-to-day business operations and activities.

Clive Longbottom, client services director at analyst firm Quocirca explains: “If your backup software can see the back-up, so can the ransomware. Therefore, it is a waste of time arguing about on-site v off-site – it comes down to how well air locked the source and target data locations are.”

However, to defend against any cyber-attack there needs to be several layers of defence which may or may not consist of a firewall, anti-virus software or backup. The last layer of defence that is to be used by the user though, must be the most robust of them all to stop any potential costly disruption in its track before it’s too late. So, anti-virus software must still play a key defensive role.

A ransomware attack is pretty brutal, warns Longbottom, “It requires a lot of CPU and disk activity. It should be possible for a system to pick up this type of activity and either block it completely, throttles it, or prevents it from accessing any storage system other than ones that are directly connected physically to the system.”

Now coming down to the traditional approach, it is often observed that data centres are in position in close proximity to each other in order to easily tackle the impact of latency, but for the fact they are all too often situated within the same circles of disruption increases the financial, operational and reputational risks associated with downtime.

Therefore there are a few certain tips that could allow the user to successfully migrate data to prevent ransomware attacks:
• The more layers you can add the better.
• User education.
• Update your Back-up regularly - it can be the last layer of defence.
• Have a copy off site – tape or cloud but don’t leave the drawbridge down.
• Planning of your backup process for your recovery requirement.

By following these one could successfully prevent cyber-attacks with ease and precision.

Security Flaw in Oracle POS systems discovered

Researchers at ERPScan have discovered a new security flaw in the Oracle Micros Point-of-Sale (POS) systems that has left over 300,000 systems vulnerable to attack from hackers.

It was discovered in September 2017 by Dmitry Chastuhin, a security researcher, and was named “CVE-2018-2636”.

Oracle has already issued updates for this issue earlier in the month but due to companies’ fear of unstable patches and losses, it is suspected that it may take months for the patch to reach affected systems.

According to Chastuhin, the POS malware enables hackers to collect configuration files from the systems and gain access to the server.

Hackers can also exploit the flaw remotely using carefully crafted HTTP requests. Many of the vulnerable systems have already been misconfigured to allow such access and are available online to be easily exploited if the patches aren’t used soon.

Patches for the flaw were made available in January 2018 in Oracle’s Critical Patch Update (CPU). More information on the bug can be found here.

UK Government to Fine Infrastructure Organisations up to £17m for Lax Cybersecurity

Industries running critical infrastructure in the UK will be facing fines as much as £17 million ($24 million), if they fail to put in strong cybersecurity measures as required by the NIS Directive.

NIS covers network and information security to be put into place by 9 May, 2018, and was announced by the UK government on Sunday.

The affected industries include transport, water, energy, and health businesses.

These fines are apparently as “last resort” if any of the above-mentioned businesses fails to follow the cybersecurity guidelines as required by all industries in the EU member states.

The government warned that a regulator will be able to assess the cybersecurity infrastructure of the country's critical industries and will have the power to issue legally-binding instructions to make sure the security is up to its mark — including imposing fines.

The Directive’s objectives are outlined as to manage security risk, ensure protection against cyber attacks, detecting cybersecurity events, and minimising the impact of cybersecurity incidents.

"We want our essential services and infrastructure to be primed and ready to tackle cyber attacks and be resilient against major disruption to services. I encourage all public and private operators in these essential sectors to take action now and consult NCSC's advice on how they can improve their cybersecurity,” said Margot James, Minister for Digital and Creative Industries.

According to the government, they are working on a “simple, straightforward reporting system” where it will be one can easily report cyber breaches and IT failures so they can be quickly identified and acted upon.

The National Cyber Security Centre (NCSC) website states that the first iteration of the Cyber Assessment Framework (CAF) will be available by the end of April 2018.

The Team8 Portfolio Company, comes Out of Stealth and launches its First Product upon a Disruptive Hybrid Architecture

The Israeli cyber security company Hysolate founded by President Tal Zamir, a veteran of an elite Israeli cyber unit and the former Research and development leader in Wanova, Dan Dinnar, former CEO of HexaTier and executive sales officer at CyberArk Programming, has recently made the news for raising around $8 million, led by the cuber security foundry Team8 and Eric Schmidt's Innovation Endeavors.

In light of the rising number of cyber threats the Team8 portfolio organization, has at last left stealth and instituted its first product.

There have been occasions that have in some way or the other found a way to keep the enterprises indentured to regularly attempt to lock down user devices, keeping the users from fully browsing the web, installing in new applications, interfacing USB devices or communicating adequately with the 3rd parties or the cloud.

In different cases, enterprises are made to embrace an "air gap" security display or model that requires the clients to really carry two laptops: one unhindered laptop for full internet use and another entirely restricted laptop for favoured corporate access. While this significantly enhances security, efficiency or in yet other words productivity is additionally corrupted. This however never fails to further frustrate the employees and fundamentally brings about the abatement of efficiency.

Hysolate, while keeping up the most elevated level of security, enables enterprises to run various next to each other working system on a solitary workstation, giving a consistent experience to the end-users. The start-up is known for building its stage upon an option "hybrid" design that disposes of these difficulties.

Zamir said, "While we are proud to introduce Hysolate, what excites us even more is that we are creating game-changing comprehensive security architecture for endpoints. The feedback we have received from our first customers - who include some of the worlds most respected and well-known brands - over the last year has been overwhelmingly positive, and we look forward to rapidly expanding our customer and partner base over the next year."

Indeed, even Nadav Zafrir, Co-Founder and CEO of Team8 concurs that while most enterprise security products concentrate on security first and users last, Hysolate is "secure-by-design", guaranteeing no compromise on both security and user experience. What's more, he additionally adds that since its beginning, the Hysolate group has far surpassed their expectations.

Hysolate, as of now is even working with some of the biggest enterprises in the world, including a few of the world's biggest banks, innovation and technology merchants, money related service providers and other enterprise organizations and remains the fourth company to be launched out of Team8, joining Illusive Networks, Claroty and the recently launched Sygnia.

New Intel Security Flaw Detected

F-Secure, a Finnish cybersecurity firm revealed on Friday that it has discovered another security flaw in the Intel hardware. This flaw could enable hackers to access corporate laptops remotely.

Earlier it was revealed that the Intel chip had flaws that made almost every smartphone, laptop, or tablets vulnerable to hackers. This flaw is allegedly unrelated to Spectre and Meltdown but is rather an issue within Intel Active Management Technology (AMT).

According to F-Secure, AMT is commonly found in most corporate laptops and the flaw will allow an attacker to take complete control over a user's device in a matter of seconds.

“The issue potentially affects millions of laptops globally," the cybersecurity firm said.

The hacker would need physical access to the device at first but once they had re-configured the AMT, they would be able to effectively “backdoor” the machine and access the device using a remote server, just by connecting to the same network as the user.

There is also a possibility that the hacker would be able to programme the AMT to their own server, thus bypassing the need to connect to the user’s network.

The hacker will be able to access all information on the device after exploiting the flaw and will be able to make changes, download malware, etc. quite easily. No solutions or security measures have been found as yet, other than choosing a strong AMT password or disabling the AMT completely.

Hackers Target Winter Olympics to be Held in South Korea

Cybersecurity company McAfee has discovered that hackers have targeted organizations connected to the Winter Olympics that will be held in South Korea, and have tried to access sensitive information.

The hacking campaign ran from December 22 and is still under investigation by the firm. McAfee has stated that the attacks point to “a nation-state adversary that speaks Korean.”

The attacks seem to have been carried out via emails sent to various organizations which contained a malicious document that would create a hidden black channel inside the computer if enabled. These emails are disguised as being sent by South Korea’s National Counter-Terrorism Council.

The emails were sent from a Singapore IP address and told receivers to open a text document in Korean.

Among those sent the messages are individuals associated with the ice hockey tournament at the Olympics. A report can be seen on their website by McAfee Labs here.

It has been reported that at least one of the recipient was infected by the document, according to a senior analyst at McAfee.

AIG Launches New Cyber Threat Analysis Service to Understand Cyber Risks

American International Group Inc., an American multinational insurance company, has launched a new system for cyber threat analysis.

The system scores companies on the degree to which a cyber attack may affect their business and the potential costs involved. It compares the company’s risk of having a breach to the safeguards it has in place.

Tracy Grella, AIG’s Global Head of Cyber Risk Insurance, in an interview said, “AIG’s underwriters have been using the computerized analysis since November, which combines information from a new insurance application designed for the process and data about current cyber threats to generate scores on various related factors.”

With mounting cyber threat to businesses, this system hopes to provide a way to measure the risk involved in a business so that cyber coverage in insurance may be taken into consideration.

This comes after AIG in October said that they will review all coverage types to check for cyber risk and give insurers a clear picture about cyber coverage and estimated financial exposure. They will also create a cyber-risk report for the customers with the analysis scores for understanding and comparing.

Along with this, AIG also announced their partnership with cybersecurity companies CrowdStrike Inc and Darktrace, on Tuesday, to launch CyberMatics, a service that verifies information AIG receives from customers’ cybersecurity tools.

Darktrace Chief Executive, Nicole Eagan, said, “The service uses artificial intelligence, or the ability of machines to carry out tasks normally associated with human intelligence, to look inside an insured company’s network for strengths and vulnerabilities.”

Tracy Grella said that while companies are not required to use the service, those who do may be able to negotiate more favourable policy terms.

Russia to create a National Internet filtering system that allows only WhiteListed sites

By 2020 Russia will launch a national web-filtering system, intended to protect children from the negative and dangerous content.

Denis Davydov, the head of the Secure Internet League, said that there are two versions of the project:

1. Traffic filtering in educational institutions.

2. Traffic filtering by default for all users.

With the second option users will be able to access unfiltered content, if they write a statement to provider or if they remove the checkbox in the account Settings.

Nowadays the League of Secure Internet has a "white list" of websites. It has more than 1 million resources.

Igor Ashmanov, IT businessman, thinks that the idea of "white lists" of websites is not viable. According to the expert, the system of "smart" operational filtering, which blocks prohibited content, is very important and necessary.

"We support the idea of ​​restricting children's access to unwanted content and have been working in this direction for a long time", the official representative of "MegaFon" Julia Dorokhina said.

- Christina

CERT – In empanelment norms may be suboptimal for national cyber security

IT Security compliance is a mandatory requirement for the critical sector organizations. Due to a Government directive or prevailing legal / regulatory provisions, only CERT - In empanelled IT Security auditing organisations are eligible to carry out such IT Security audits - Guidelines for applying to CERT - In for Empanelment of IT Security Auditing Organisations

Indian Computer Emergency Response Team (CERT – In) no doubt had the best intentions in mind when it issued its guidelines. But as they say, the best laid plans sometimes go awry and such a result may arise as a consequence of some of the technical qualifications specified in the guidelines.

Why should CERT – In be in the business of empanelling organisations or pre-qualifying the security industry? Neither in the US or the UK, for example, do the respective CERTs get involved in such issues. Does a CERT – In empanelment guarantee anything or is it part of a bureaucratic check list? Such practises also fly in the face of the Government’s commitment to Less Government and More Governance. The empanelment norms may also result in regulatory capture.

Pre-qualification criteria including minimum number of technical manpower, formal qualifications, formal experience, number of formal audits in a specified time frame – may be acceptable for financial audits, medical audits, bridge inspection etc but do not make sense in the area of cyber security.

The best in cyber security in India, indeed the world over, are freelancers - young kids/hackers who are on the Hall of Fames of companies such as Google, Facebook, Microsoft for having discovered vulnerabilities which bypassed the expert eyes of hundreds of highly qualified and experienced domain experts in such organisations. These freelancers and individuals have no certifications, no formal qualifications, no formal audit experience and will never work formally with any organisation.

Countries like the US have realised this. Instead of concentrating on a few empanelled entities, organisations are more focused on 0 Day exploit finders and bug bounty hunters. These countries realise that the main threat comes from hundreds of highly motivated (if maliciously so), highly skilled, highly unconventional individuals either working alone or in informal partnerships. Cyber risks are asymmetrical, unconventional and global and as such need an appropriate response.

Empanelment can also breed complacency, a false sense of security. In contrast, what effective cyber security needs is a degree of paranoia. Will anyone get fired for ineffective cyber security if the security audit has been done by a firm empanelled by CERT – In? Will CERT-In formally certify an organisation’s cyber security preparedness if the security audit is done by an empanelled firm? Will CERT-In and the empanelled firms provide financial guarantees to back up cyber audits?

It is commonly known that ISO 270001 as implemented in India by auditors concentrates more on process, rather than ferreting out vulnerabilities. Out of the 25 organisations that CSPF has done security consulting with, 21 suffered a hacker attack despite being certified by auditors. The certification did not prevent hackers from gaining access to data in these organisations. All 25 organisations had IS0 270001 certification and were conducting vulnerability assessments and penetration testing every 3 months as is mandatory in ISO 270001. When CSPF did APT assessment post incident, it found websites even had had simple vulnerabilities like CSRF, Sql injection (almost 3/10 OWASP top10 vulnerabilities). In over 50 % of cases, formal discovery of APT attacks or cyber espionage was made only after 7-8 months of the actual event.

0 Day exploits or unknown vulnerabilities in software are amongst the most potent tools used by black hat hackers for cyber attacks. How many cases does one know of black hats revealing their secrets on 0 Days, especially to security auditors? They would make more money selling it to National Security Agencies or Governments for use as espionage tools.

To counter black hats, one needs equally motivated, unconventional and highly skilled white hats who are more often than not lone wolves. Some of the best white hats this writer knows of have not even passed Std 10, but are yet on the Google Hall of Fame. This is the talent India needs to leverage, and talent that India cannot afford to waste.

Critical infrastructure organisations and businesses in India need to look beyond CERT – In empanelled security auditors. Formal rules and norms apart, organisations need to set up liberal bugs bounty programs and invite independent bugs bounty hunters to take a crack. This alone will separate the men from the boys.

J Prasanna, Founder, Cyber Security & Privacy Foundation

High School Teen claims he hacked CIA Director’s personal account

An American high school student says he hacked the personal email account of Central Intelligence Agency’s (CIA’s) Director, John Brennan. That’s what the law enforcement sources have also confirmed.

Brennan’s private account held sensitive files, including his 47-page application of SF-86 that Brennan had filled to obtain top-secret security clearance; until he recently learned that it had been infiltrated.

The applications are used by the government to conduct background check. They contain a lot of sensitive data about workers seeking security clearance, about their friends, spouses and other family members. They also include criminal history, psychological records and information about past drug use as well as potentially sensitive information about the applicant’s interactions with foreign nationals which can be used against those nationals in their own country.

The hacker said the director had the information stored on his personal AOL account which reportedly had social security numbers of more than a dozen American senior intelligence officials. Moreover, it also consisted of a document on ‘harsh interrogation techniques’ on terrorism suspects.

The high school kid who had hacked into Brennan’s account has not given his name or location where he lives but according to social media information, he said he was motivated to go after the CIA director’s because he is opposed to US foreign policy and supports Palestine. Even though he says he is not Muslim, his twitter page reportedly uses quotes from Quran and about Allah being the one true God.

He also mentions that he and his classmate will be tweeting “CWA owns John Brennan of the CIA” as a means of verifying his control over the @phphax Twitter account.

CWA stood for “Crackas with Attitude”.

Not only did he break in the account of Brennan but also posted some of the stolen documents and a portion of Brennan’s contact list on Twitter.

The teen claimed he has repeatedly prank-called America’s top spy since August, once reciting Brennan’s Social Security number to him.

The teen told New York post first that he used the tactic called ‘Social engineering’ to hack the account. He posed as a Verizon worker to trick another employee into hacking CIA director general’s personal information and getting duped AOL into resetting his password.

The hacker did not work alone but other unknown people were also involved with him in this work. Their team first did a reverse lookup of Brennan’s mobile number to discover that he was a Verizon customer after which one of them posed as a Verizon technician and called the company asking for details about Brennan’s account.

Brennan’s account was disabled as of Friday.

In a statement, the CIA said: “We are aware of the reports that have surfaced on social media and have referred the matter to the appropriate authorities.”

The Law enforcement agency, Federal Bureau of Investigation (FBI) and other federal agencies have started investigating about the hacker. There is a possibility that criminal charges are put on him.

Apart from Brennan’s account, the hackers also broke into the Comcast account of Homeland Security Secretary, Jeh Johnson.

The news of the breach comes in the midst of another email scandal involving Hillary Clinton who has been under fire for months over a private server and email account she maintained to do official work.

If the director of the CIA had kept a secret database of information on his personal account, it is a violation of the federal law of U S that requires people who have possession of top secret information to keep it only in a secure government venue. Breaking the law is a felony.

Cyber threats may well face an insurance vacuum, firms need to look after themselves

Anecdotal evidence suggests that the global insurance industry is unwilling to play ball on writing cyber insurance policies. Companies are facing unprecedented cyber threats and thus seeking ever larger cyber insurance covers. Insurers, however, are either unwilling to write policies, or are writing limited policies at a fat cost or with significant conditionalities. Firms are looking for US $ 1 billion covers, but the insurers are not biting.

It is not hard to understand the predicament of insurers. As it stand today, cyber insurers face a situation of information asymmetry, there is none or very limited actuarial insights available. No insurer has a clue as to what hidden vulnerabilities exist in a company’s IT set up - software, websites, network, data centres and processes. How can the insurers know when companies themselves do not fully understand their vulnerabilities?

The task for insurers is made even more difficult by the fact that attacks may not aimed at a big firm directly. The recent attack on iOS (Apple) app store suggests that hackers may have discovered another route to compromise the internet – by infecting machines of software developers writing legitimate programs and apps. Developers are a huge, globally dispersed (geopolitical risks) and logical target for hackers, and this approach may be harder to defend against.

Further, insurers also need to take into account that one lives in the days of internet linked business ecosystems which include multiple partners and suppliers of various sorts, apart from outsourced software development. Smaller, less prepared, less equipped members of ecosystems offer hackers a easier route to sneak into the systems of the big firms

The situation gets extremely complicated when one considers the size of cyber threats. One estimate of annual cost of cybercrime to global economy ranges from US $ 375 bn – US $ 575 bn. That’s a lot of money, and the reluctance of insurers to write out policies to protect against hugely expensive and unknown threats is unsurprising to say the least. Attackers are remotely located, face no direct/immediate physical threat and are unafraid to take risks.

Testing for vulnerabilities is a deeply technical issue. When one is faced with situations such as Advanced Persistent Threats (APT) and 0 Day Vulnerabilities, it needs to be borne in mind that businesses are up against attackers typically belong to organised criminal groups, mafia groups, Black Hat hacker groups or state backed groups.

APT attack happens when committed adversaries persistently utilise advanced technologies to compromise targets. Extremely hazardous 0 Day exploits (vulnerabilities found by hackers and never reported to security vendors) are found in Operating Systems, Application Software, Browsers, Antivirus Software, Firewall, and Internal Application Software. On an average, twenty 0 Day vulnerabilities exist in any given server. O Days have the greatest amount of success and damage rates and least probability of detection by firewalls/IDS/AV's etc.

The problem is also compounded by lack of senior management involvement in a vulnerability assessment and penetration testing similar exercise. This is a matter that cannot be left to systems administrators or developers who are better equipped to remediate security issues than discovering vulnerabilities.

Given the reluctance of insurers to play ball, companies may have little choice but to look after themselves. The buck needs to stop at the desk of senior management and Boards need to ask difficult questions. Cyber threats are strategic in nature and as such a strategic response is called for to defend against financial and non-financial damage.

Constant vigilance, vulnerability assessments and penetration testing are essential for defence. Companies also need to utilise country-cyber espionage and counter-intelligence techniques to protect themselves against cyber-attacks, as well as inject themselves with a healthy dose of paranoia.

Author: Prasanna J, Founder of Cyber Security and Privacy Foundation(CSPF)

Turn off macros in Microsoft Office applications to protect yourselves from active malware spam campaign

Email samples. 

Think before while opening an attachment from unsolicited emails especially if you are in Japan, as you might be the victim of malware-ridden spam attack. No need to worry, to protect yourselves, turn off macros in Microsoft Office applications. It prevents from macro-based threats from executing.

The problem came in to light when the employees of various corporations in Japan started to receive suspicious-looking emails which turned out to carry malicious attachments on October 8.

Researchers from Symantec, who found out the malware, confirmed that those emails were part of a wave of malware-ridden spam attacks that were currently active in Japan.

Along with the emails, there were attached Microsoft Word document files, which contained a malicious macro.

Researchers said that it attempted to download the same executable file (65g3f4.exe) from multiple remote locations. The multiple downloads was probably a redundancy measure in case some sources were taken down.

“We have observed download attempts from the following domains: Leelazarow[.]com, Rockron[.]com, www[.]profes-decin[.]kvalitne[.]cz,” they said in a blog post.

“There are two variations of the emails: one is an order confirmation from a Japanese equipment supplier and the other pretends to come from a local printing company,” the researchers added.

They have detected a malicious Word document dubbed W97M.Downloader, a known vehicle for other threats such as Trojan.Cryptodefense and Trojan.Cridex.

In the process, along with the document a banking Trojan which Symantec detects as Infostealer.Shiz, also gets downloaded. The researchers said that installing such a Trojan on corporate computers could give the attackers a foothold on the network from which they can spread and find other items of value.

It is also said that the malware is especially designed for Japan as 98 percent this malware detections are located in the country.

“Our telemetry shows that this particular variant of Infostealer.Shiz is being distributed almost exclusively in Japan, as 98 percent of the detections are located in this region. There are currently no indications that specific industries or companies are targeted,” the researchers concluded.

Encryption Law Outrage forces Indian Government to Retreat

Ruling Bhartiya Janata Party (BJP) withdrew the contentious draft encryption policy on Tuesday (September 22) after massive public uproar on proposed measures.

The government said it would place it in public domain again after reworking some of the “expressions” that had given rise to “misgivings”.

The draft policy which was set up by an "expert group" under the Department of Electronics and Information Technology (DeitY) which comes under the union ministry of communications and information technology, sparked outrage on social media, as most messaging services use some form of encryption.

The policy was introduced under Section 84 A of the Information Technology Act (2000). It was proposed to enhance information security in India.

It was released earlier on Monday (September 21) and proposed to make it mandatory for every citizen including business, telecoms and internet companies to save all digital communications, including emails and chats, for a period of 90 days in plain text which should be presented before the law enforcement agencies whenever asked to. Failing to do so would mean legal action as per the laws of the country.

Later in the day, it had sought to address the issue by releasing an addendum to the draft which clarified that web-based applications and social media sites such as WhatsApp, Facebook and Twitter were exempt. Payment gateways; e-commerce and password based transactions were also excluded as the transaction details through payment gateways could be vulnerable to hackers.

But the next morning Union Minister for Communications and Information Technology (IT), Ravi Shankar Prasad had directed withdrawal of the draft.

During a news conference held, Prasad stressed that users would not come under the ambit of the encryption policy which the government is in the process of framing.

The minister also said that the government completely supported freedom on social media. But the regulation of encryption technologies was the need of the hour.

With the regular stream of terrorist attacks, cyber attacks from international borders, freedom has become very vital. Though it’s the basic right, but citizens need safety, security and assurance that their lives will continue to be safe.

Most experts termed this policy as non practical as the end consumers did not have any idea about encryption and in most cases it was done by applications. Users could not decrypt that, only application providers could.

Meanwhile, the Opposition parties too attacked the government on the issue with the Congress saying that the Centre’s intent stood “exposed,” while the Communist Party of India (Marxist) (CPI(M)) tagged it ‘Gujarat Snooping Model.’

In 2010, the United Progressive Alliance (UPA) government said it would ban Blackberry Messenger Service (BBM) in India unless the company gave security agencies access to snoop on emails. The two eventually reached an arrangement that allowed the government to intercept messages sent on Blackberry's platform.

WordPress Team releases version 4.3.1, fixes two vulnerabilities

(pc- google images)
The WordPress security team has released version 4.3.1 which is now available for download. This release fixes three issues including two cross-site scripting vulnerabilities and a potential privilege escalation. The vulnerabilities were revealed by Check Point researchers Shahar Tal and Netanel Rubin.

The first vulnerability CVE-2015-5714, a cross-scripting issue was present in all WordPress versions 4.3 and earlier. The earlier versions were vulnerable to this issue while processing shortcode tags.

Most users are very well-acquainted with shortcodes and it is a valuable asset for WordPress developers. The Check Point researchers have found a fault in the way shortcodes are handled. In general, a "KSES filtering is performed prior to the insertion of data into the DB, and shortcode parsing is performed when printing it to responses."

The researchers, then, came up with a method that tangled HTML code with the shortcode’s content, and they were able to leave an HTML anchor tag open to perform persistent attacks. This as the HTML and shortcode validations took place at different times.

The second vulnerability CVE-2015-5714, a privilege escalation bug, grants the users to publish private posts and even make them sticky on a site. This last vulnerability could have a greater impact on WordPress websites that use the CMS' built-in user management features to build a community around the site.

Besides this, WordPress has also fixed 26 bugs in this new version.