Information Security, SSAE 16, ISO 27001, CISA, Cert-IN
Echoing the Mt. Gox fiasco that happened nearly four years ago, Tokyo-based cryptocurrency exchange Coincheck disclosed Friday that a hacker had stolen about 58 billion worth of its holdings, sending clients into a panic about the fate of their virtual assets.
Read the Full Article here: >Computer Security News
For some ATM thieves, swiping card data involves too much patience — they’d rather just take the money and run. The US Secret Service has warned ATM makers Diebold Nixdorf and NCR that "jackpotting" hacks, where crooks force machine to cough up large sums of cash, have reached the US after years of creating problems in Asia, Europe and Mexico. The attacks have focused largely on Diebold’s front-loading Opteva ATMs in stand-alone locations, such as retail stores and drive-thrus, and have relied on an combination of malware and hardware to pull off heists.
In previous attacks, the thieves disguised themselves as technicians to avoid drawing attention. After that, they hooked up a laptop with a mirror image of the ATM’s operating system and malware (Diebold also mentioned replacing the hard drive outright). Security researcher Brian Krebs understands American ATMs have been hit with Ploutus.D, a variant of "jackpotting" malware that first launched in 2013. The mirror image needs to be paired with the ATM to work, but that’s not as difficult as you might think — the intruders used endoscopes to find and press the necessary reset button inside the machine. Once done, they attached keyboards and used activation codes to clean out ATMs within a matter of minutes.
NCR hasn’t been explicitly targeted in these attacks, but it warned that this was an "industry-wide issue" and urged caution from companies using its ATMs.
It’s definitely possible to thwart attacks like this. The Secret Service warned that ATMs still using Windows XP were particularly easy targets, and that updating to Windows 7 (let alone Windows 10) would protect against these specific attacks. Diebold also recommended updating to newer firmware and using the most secure configurations possible. And both organizations recommended physical security changes, such as using rear-loading ATMs, locking down physical access and closely watching for suspicious activity like opening the machine’s top.
The catch, of course, is that ATM operators either haven’t been diligent or may have a hard time justifying the updates. It’s telling that victim machines have been running XP, a 16-year-old platform whose official support ended in 2014 — the odds aren’t high that companies will keep their ATMs up to date, let alone replace them with more secure models or institute advanced defenses. You may not see a widespread attempt to combat jackpotting in the US until the problem becomes too large to ignore.
Via: Reuters
Source: Krebs on Security
Read the Full Article here: >Engadget
February 1, 2018 marks the deadline for businesses to adopt the new industry standard, PCI DSS 3.2, aimed at reducing and better responding to cyber attacks resulting in payment data breaches.
Originally announced in 2016, the industry has had almost two years to prepare for these increased requirements but a significant percentage of businesses are still not prepared, secure payment solutions provider, PCI Pal, warns.
“The industry has developed a culture of compliance cramming, treating PCI as an annual exam to be passed without working towards a culture of continuous compliance. For businesses in this ‘annual pass’ group, PCI DSS 3.2 could be a rude awakening because it requires evidence of continuous compliance instead of a pass/fail,” said Geoff Forsyth, CTO at PCI Pal.
Primary requirements of PCI DSS 3.2 include:
Despite existing data security standards, many companies struggle to ensure continuous compliance – data taken from a 2017 report found that at the time of data compromise the average merchant is not compliant with almost half (47%) of current PCI DSS requirements. Of those that do pass compliance checks, almost a third are not compliant just 12 months later, according to Verizon’s PCI DSS Compliance report.
Forsyth continues: “To be PCI compliant is a constant process. The annual assessment has, to date, only been able to check that the correct processes are in place. PCI DSS 3.2 will change that approach, requiring evidence that device inventories and configuration standards are kept up to date, and security controls are applied where needed.
“Companies should no longer rely on outdated workarounds such as pause-and-resume. The recent spate of high-profile security has thrust this issue into the spotlight but this new standard will ensure it stays front of mind for the industry at large.”
Read the Full Article here: >Help Net Security – News
ATM “jackpotting” — a sophisticated crime in which thieves install malicious software and/or hardware at ATMs that forces the machines to spit out huge volumes of cash on demand — has long been a threat for banks in Europe and Asia, yet these attacks somehow have eluded U.S. ATM operators. But all that changed this week after the U.S. Secret Service quietly began warning financial institutions that jackpotting attacks have now been spotted targeting cash machines here in the United States.
To carry out a jackpotting attack, thieves first must gain physical access to the cash machine. From there they can use malware or specialized electronics — often a combination of both — to control the operations of the ATM.
A keyboard attached to the ATM port. Image: FireEye
On Jan. 21, 2018, KrebsOnSecurity began hearing rumblings about jackpotting attacks, also known as “logical attacks,” hitting U.S. ATM operators. I quickly reached out to ATM giant NCR Corp. to see if they’d heard anything. NCR said at the time it had received unconfirmed reports, but nothing solid yet.
On Jan. 26, NCR sent an advisory to its customers saying it had received reports from the Secret Service and other sources about jackpotting attacks against ATMs in the United States.
“While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue,” the NCR alert reads. “This represents the first confirmed cases of losses due to logical attacks in the US. This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”
The NCR memo does not mention the type of jackpotting malware used against U.S. ATMs. But a source close to the matter said the Secret Service is warning that organized criminal gangs have been attacking stand-alone ATMs in the United States using “Ploutus.D,” an advanced strain of jackpotting malware first spotted in 2013.
According to that source — who asked to remain anonymous because he was not authorized to speak on the record — the Secret Service has received credible information that crooks are activating so-called “cash out crews” to attack front-loading ATMs manufactured by ATM vendor Diebold Nixdorf.
The source said the Secret Service is warning that thieves appear to be targeting Opteva 500 and 700 series Dielbold ATMs using the Ploutus.D malware in a series of coordinated attacks over the past 10 days, and that there is evidence that further attacks are being planned across the country.
“The targeted stand-alone ATMs are routinely located in pharmacies, big box retailers, and drive-thru ATMs,” reads a confidential Secret Service alert sent to multiple financial institutions and obtained by KrebsOnSecurity. “During previous attacks, fraudsters dressed as ATM technicians and attached a laptop computer with a mirror image of the ATMs operating system along with a mobile device to the targeted ATM.”
Reached for comment, Diebold shared an alert it sent to customers Friday warning of potential jackpotting attacks in the United States. Diebold’s alert confirms the attacks so far appear to be targeting front-loaded Opteva cash machines.
“As in Mexico last year, the attack mode involves a series of different steps to overcome security mechanism and the authorization process for setting the communication with the [cash] dispenser,” the Diebold security alert reads. A copy of the entire Diebold alert, complete with advice on how to mitigate these attacks, is available here (PDF).
The Secret Service alert explains that the attackers typically use an endoscope — a slender, flexible instrument traditionally used in medicine to give physicians a look inside the human body — to locate the internal portion of the cash machine where they can attach a cord that allows them to sync their laptop with the ATM’s computer.
An endoscope made to work in tandem with a mobile device. Source: gadgetsforgeeks.com.au
“Once this is complete, the ATM is controlled by the fraudsters and the ATM will appear Out of Service to potential customers,” reads the confidential Secret Service alert.
At this point, the crook(s) installing the malware will contact co-conspirators who can remotely control the ATMs and force the machines to dispense cash.
“In previous Ploutus.D attacks, the ATM continuously dispensed at a rate of 40 bills every 23 seconds,” the alert continues. Once the dispense cycle starts, the only way to stop it is to press cancel on the keypad. Otherwise, the machine is completely emptied of cash, according to the alert.
An 2017 analysis of Ploutus.D by security firm FireEye called it “one of the most advanced ATM malware families we’ve seen in the last few years.”
“Discovered for the first time in Mexico back in 2013, Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message, a technique that had never been seen before,” FireEye’s Daniel Regalado wrote.
According to FireEye, the Ploutus attacks seen so far require thieves to somehow gain physical access to an ATM — either by picking its locks, using a stolen master key or otherwise removing or destroying part of the machine.
Regalado says the crime gangs typically responsible for these attacks deploy “money mules” to conduct the attacks and siphon cash from ATMs. The term refers to low-level operators within a criminal organization who are assigned high-risk jobs, such as installing ATM skimmers and otherwise physically tampering with cash machines.
“From there, the attackers can attach a physical keyboard to connect to the machine, and [use] an activation code provided by the boss in charge of the operation in order to dispense money from the ATM,” he wrote. “Once deployed to an ATM, Ploutus makes it possible for criminals to obtain thousands of dollars in minutes. While there are some risks of the money mule being caught by cameras, the speed in which the operation is carried out minimizes the mule’s risk.”
Indeed, the Secret Service memo shared by my source says the cash out crew/money mules typically take the dispensed cash and place it in a large bag. After the cash is taken from the ATM and the mule leaves, the phony technician(s) return to the site and remove their equipment from the compromised ATM.
“The last thing the fraudsters do before leaving the site is to plug the Ethernet cable back in,” the alert notes.
FireEye said all of the samples of Ploutus.D it examined targeted Diebold ATMs, but it warned that small changes to the malware’s code could enable it to be used against 40 different ATM vendors in 80 countries.
The Secret Service alert says ATMs still running on Windows XP are particularly vulnerable, and it urged ATM operators to update to a version of Windows 7 to defeat this specific type of attack.
This is a quickly developing story and may be updated multiple times over the next few days as more information becomes available.
Tags: atm jackpotting, atm logical attacks, Daniel Regalado, Diebold Nixdorf, Diebold Opteva, endoscope, FireEye, NCR Corp, Ploutus.D, U.S. Secret Service, Windows 7, Windows XP
Read the Full Article here: >Krebs on Security
Coincheck, a Tokyo-based cryptocurrency exchange, has suffered what appears to be the biggest hack in the history of cryptocurrencies, losing $532 million in digital assets (nearly $420 million in NEM tokens and $112 in
).
In 2014,
, one of the largest bitcoin exchange at that time, filed for bankruptcy after admitting it had lost $450 million worth of Bitcoins.
Apparently, the cryptocurrency markets reacted negatively to the news, which resulted in 5% drop in Bitcoin price early this morning.
In a blog post
today, the Tokyo-based cryptocurrency exchange confirmed the cyber heist without explaining how the tokens were stolen, and abruptly froze most of its services, including deposits, withdrawals and trade of almost all cryptocurrencies, except Bitcoin.
Coincheck also said the exchange had even stopped deposits into NEM cryptocurrencies, which resulted in 16.5% drop in NEM coin value, as well as other deposit methods including credit cards.
During a late-night press conference at the Tokyo Stock Exchange, Coincheck Inc. co-founder Yusuke Otsuka also said that over 500 million NEM tokens (then worth around $420 million) were taken from Coincheck’s digital wallets on Friday, but the company didn’t know how the tokens went missing, according to new source
.
The digital-token exchange has already reported the incident to the law enforcement authorities and to Japan’s Financial Services Agency to investigate the cause of the missing tokens.
“We will report on the damage situation and cause of the case, measures to prevent recurrence, but first we would like you to take every possible measure to protect our customers,” said Executives of the Financial Services Agency (translated).
This incident marks yet another embarrassing hack in the world of digital currency technology, once again reminding us that the volatility in cryptocurrency prices is not going away anytime soon.
So far, the exchange has not provided any official statement regarding the cause of this hack. We will keep you updated about this incident. Stay Tuned!
Read the Full Article here: >The Hacker News [ THN ]
With the GDPR deadline looming on May 25, 2018, every organization in the world that transmits data related to EU citizens is focused on achieving compliance. And for good reason. The ruling carries the most serious financial consequences of any privacy law to date – the greater of 20 million EUR or 4 percent of global revenue, potentially catastrophic penalties for many companies.
Compounding matters, the scope and complexity of GDPR extends beyond cyber security, requiring equal involvement from legal and IT teams. For many security executives, this is causing significant consternation about the organizational borders of GDPR. Specifically, “Who owns It?” and “Who does what?”
Effective GDPR compliance requires well-defined roles and division of responsibilities, as well as strong interdepartmental partnerships. Above all, it’s a team effort, and clear communication is the key. Here’s a snapshot of the three core business areas where integrated efforts are necessary to achieve GDPR compliance, and the distinct challenges of each.
At first glance, it would be easy to attribute many of the GDPR rules to cyber security policies, but there are a staggering number of components of GDPR that fall outside the purview of a typical cyber security program. Take, for example, Chapter 5, which contains stipulations for determining adequacy of protection for third countries, binding corporate rules, safeguards and international cooperation regarding personal data. And that’s just scratching the surface.
A majority of the GDPR heavy lifting from a legal standpoint involves making sure everything is in order from a contracts standpoint, such as ensuring third-party relationships have the appropriate model contract clauses in place to enable compliance (e.g., Privacy Shield Frameworks.)
In successful field cases, the internal and/or external council are leading the charge around the contracting, privacy and legal components of GDPR. And as they work to develop the appropriate contract language to enable compliance, they are relying on close coordination with the cyber security team to address questions related to the effectiveness of safeguards, the security of processing, and the risk assessment aspects of GDPR.
The IT team is undoubtedly tasked with the biggest burden around GDPR. This stems primarily from Chapter 3 – Rights of the Data Subject, commonly referred to as the “right to be forgotten,” but it contains far more data subject rights than the right to erasure, such as the right to correct info, the right to portability and the right to object. Enabling these data subject rights is a massive undertaking that entails a substantial amount of work on IT systems and an enormous amount of effort for IT teams – mainly because most legacy systems, from CRM and EHR to ERP and customer web portal systems, were not designed to support these data subject rights.
Based on the sheer volume of raw IT work required to support these data subject rights, achieving GDPR compliance by May 25 will be out of the question for most organizations. While there seems to be a moderate degree of comfort around meeting GDPR requirements in the legal and cyber security realms, there’s no question that CIOs and application architects are facing a grueling – and expensive – task.
If GDPR could be boiled down to a one-sentence law, it would likely state, “Don’t get breached; if you do, it’s going to cost a lot of money.” Given the hefty financial penalties associated with GDPR, it’s critical for the cyber security program to mitigate breach risk as much as possible.
This is best achieved by concentrating efforts around six key cyber security pillars – data governance, data classification, data discovery, data access, data handling and data protection. Particularly since IT teams face the most overwhelming mission, this is an opportunity for cyber security professionals to step up and provide air cover for their IT and legal partners as they work together to pursue full GDPR compliance.
As part of Article 37 of the GDPR, companies must appoint a Data Protection Officer (DPO) to ensure compliance with the regulation. However, a divide is emerging as many organizations appoint someone from inside counsel while others look to cyber security leadership, such as the CISO or VP of Information Security. There is no right or wrong answer as to ownership of the role, but it’s an area that’s causing a fair amount of confusion.
One of the reasons for this is the unique duality of the role. Article 39 of the GDPR assigns very specific technical tasks to the DPO, related to the monitoring of compliance with the regulation and interpreting the results of data protection impact assessments (DPIAs). Additionally, the GDPR requires that the DPO report to the highest level of management in the company. As a result, the DPO role is somewhat different from both the typical CISO and the general counsel, as it is expected to combine significant technical wherewithal in and around privacy and privacy technology, with the independence and neutrality normally found in general counsel.
In some cases, such as with smaller organizations, appointing a third-party virtual DPO may be the ideal answer. Articles 37 and 38 of GDPR specifically enable organizations to leverage a DPO through a service contract, provided the DPO is readily accessible to the client.
While it’s likely we’ll begin to see coalescence around where the DPO sits and who they report to, the most critical factor is having strong relationships between the legal, IT and cyber security teams – particularly because there are elements in GDPR around reasonableness of controls, the “state of the art” and the cost to implement controls (as defined in Article 32 and mentioned again in Article 25) where cyber security expertise is crucial.
According to Forrester, more than 80 percent of companies affected by GDPR will not comply by the deadline – of these, 50 percent will fail in their efforts to comply, while others will do so willingly, as the result of a cost-risk analysis. However, organizations don’t need to panic. Forming a cohesive union between the legal, IT and cyber security teams is a critical step that can lay the foundation for developing a roadmap for success and showing due diligence in complying with the spirit of the law. This could make an important difference in the event of an incident between May 25 and becoming GDPR compliant.
Read the Full Article here: >Help Net Security – News
The security researcher from New Delhi, Karan Saini, has reported about the bug which allows criminals to bypass two-factor authentication Uber security flaw is related to the account authentication when the user logs in. 2FA requires a person not only to submit the username and password but also enter the unique code which is sent to his/her phone.
Read the Full Article here: >Computer Security News
In four months the EU General Data Protection Regulation (GDPR) comes into force, and companies are racing against time to comply with the new rules (and avoid being brutally fined if they fail).
One of the things that the regulation mandates is that EU citizens must be able to get access to their personal data held by companies and information about how these personal data are being processed.
With that in mind, Facebook is getting ready to roll out a new global privacy center, through which users will be able to tweak core privacy settings for Facebook. This should make it easier for users to manage their data, i.e., make informed choices about their privacy.
“Our apps have long been focused on giving people transparency and control and this gives us a very good foundation to meet all the requirements of the GDPR and to spur us on to continue investing in products and in educational tools to protect privacy,” Sandberg said at a Facebook event in Brussels on Tuesday.
Microsoft has already added a new Activity History page to the Microsoft Privacy Dashboard. Through this page, users can see what data are saved with their Microsoft account, as well as to adjust privacy settings on their device or browser.
In the coming months, users will be given the ability to view and manage media consumption data, product and service activity, export any of the data they see on the dashboard and delete specific items. (GDPR also mandates data portability and right to erasure of personal data).
The Windows Diagnostic Data Viewer, currently available only to Windows Insiders, is set to be introduced to the broader Windows user base with the release of Windows 10 Redstone 4 in March or April.
Through this tool, Windows users will be able to see and search all Windows diagnostic data that’s in the Microsoft cloud related to their specific device.
This will include:
Read the Full Article here: >Help Net Security – News
Read the Full Article here: >Schneier on Security: Cybercrime Paper
Google’s parent company Alphabet has announced its entry into the lucrative enterprise cybersecurity market through Chronicle, a company started in early 2016 as a project at X, Alphabet’s “moonshot factory.”
Chronicle has now “graduated” to the status of an independent company within Alphabet, and is lead by Stephen Gillett, formerly an executive-in-residence at Google Ventures and Chief Operating Officer of Symantec.
VirusTotal, a malware intelligence service acquired by Google in 2012, will be become a part of the new company, but Chronicle will also offer a new product.
They are still tight-lipped about it, but what we know so far is that they are developing a cybersecurity intelligence and analytics platform. The platform’s task will be to help enterprises quickly and easily manage and understand massive amounts of their own security-related data so that they can stop cyber attacks before they do any damage.
“At large companies, it’s not uncommon for IT systems to generate tens of thousands of security alerts a day. Security teams can usually filter these down to about a few thousand they think are worth investigating — but in a day’s work, they’re lucky if they can review a few hundred of them. Conversely, many investigations are hampered by the gaps in available information, simply because the cost of storing all the relevant data is increasing far faster than a typical organization’s budget,” Gillett noted in a blog post.
Chronicle’s cloud-based platform will run on Alphabet’s powerful and scalable server infrastructure, will offer advanced search capabilities, and will leverage machine learning to find patterns in vast volumes of data that aren’t easily spotted by humans.
According to Gillett, a number of Fortune 500 companies are already testing a preview release of the platform.
He also pointed out that, while the company is part of Alphabet, they will have their own contracts and data policies with their customers.
Read the Full Article here: >Help Net Security – News
maqp • January 25, 2018 5:50 PM
@Afrin, (and Moxie)
“If someone hacks the WhatsApp server, they can obviously alter the group membership.”
This “duh, obviously the proprietary app using Signal protocol has a problem where Signal spec differs from the original open source library in a way that gives the server ability to add contacts that can eavesdrop on communication” is so obvious. How could I have assumed anything different after Moxie said WhatsApp uses same protocol as Signal.
“All group members will see that the attacker has joined. There is no way to suppress this message.”
Moxie misses the fact that some group chats consist of communities where not everyone knows each other. While such groups do have different expectation of privacy for messages, that’s no reason not to have security from nation states. And it’s not impossible to join it without anyone noticing, especially since attacker can forge to each user a message about who added them. Nobody’s going to tell everyone to be quiet and interrogate the new buddy of buddy. Very few actually care about what they share in group if they don’t know them IRL. It’s easy not to think about those contacts.
“I think it would be better if the server didn’t have metadata visibility into group membership, but that’s a largely unsolved problem”
Metadata about who’s in the group isn’t the problem here. Ability to add members to group is.
“In contrast, Telegram does no encryption at all for group messages”
True. But this is also whataboutism. We should not tolerate Durov’s “Signal is funded by US governemnt” accusations, and we shouldn’t accept pointing fingers from Moxie’s side when discussing this issue. This was a screw-up from WhatsApp developers, not Moxie, and I don’t understand why he would stand behind their backs.
“There’s no way to publish an academic paper about that, though, because there’s no attack to describe, because there’s no encryption to begin with.”
It was only this week Tinder made the headlines for not using any encryption at all. Also, there was no attack to describe in Signal yet somehow they managed to publish a formal Signal audit. It probably didn’t make the headlines back in 2016 but is even today extremely valuable proof of security. Audit that makes note of Telegram’s crappy TLS group messaging would not only convince some users, it could also be used as a source in debates, and there’s a chance it could make headlines. One big issue with Telegram currently is it’s outdated evaluations. It’s not clear to what protocol versions audits apply to or what attacks, like the infamous 64-bit precomputation MITM attack, still apply to the client.
“don’t build security into your products, because that makes you a target for researchers, even if you make the right decisions, and regardless of whether their research is practically important or not”
There’s nothing overly impractical about this attack. We consider Telegram’s encryption broken when all it lacks semantic security (IND-CCA). All this means is you can edit ciphertext without changing to what it decrypts into. That’s no different from messing with imaginary ECC bundled into ciphertext. So, why don’t we consider a protocol (implementation) broken when there’s a good chance several end-to-end encrypted messages might leak to adversary when they are able to join the conversation.
It’s true it’s hard to write stories about Telegram that raise eyebrows, especially with media fixated on Durov as a celebrity. But if enough experts agree on how Durov’s claims about distributed cross-jurisdictional encrypted cloud storage are full of shit, it might change things.
“It’s much more effective to be Telegram: just leave cryptography out of everything, except for your marketing.”
This sums my feelings about Telegram exactly. Everything they do could work on Signal protocol. But it’s too easy to beat the competition for ignorant user-base with invisible insecurity that enables much faster message delivery and feature development.