Category: Uncategorized

Tech support scammers are borrowing phishing techniques from criminals who seek online 10credentials.

Scammers are now using links in phishing-like emails to lead potential victims to fake tech support sites.

The new tactic, noticed by Microsoft's Malware Protection Center, marks an evolution in bogus tech support scams that allow criminals to cast a wider net in search of fraud victims.

Historically, tech support scams have cold-called targets. But more recently they have used a combination of malicious ads that automatically redirect victims to a bogus tech support page, and malware that displays a fake Blue Screen of Death (BSOD) or other bogus Windows security alerts.

Online criminals meanwhile have long used mass email to spread links to bogus online bank and email login pages to phish credentials.

Tech support scammers are now using nearly identical techniques, sending emails purportedly from well-known brands such as LinkedIn, Alibaba, and Amazon. The email pretends to be an invoice, canceled order, or social media message that contains dodgy links hidden in seemingly harmless text.

"However, instead of pointing to phishing sites designed to steal credentials, the links lead to tech support scam websites, which use various scare tactics to trick users into calling hotlines and paying for unnecessary 'technical support services' that supposedly fix contrived device, platform, or software problems," explain Microsoft malware protection researchers Alden Pornasdoro, Jeong Mun, Barak Shein, and Eric Avena.

The links in the email generally point to a compromised website that, as with existing tactics, automatically redirects visitors to the scam site. Once there, visitors face a range of social engineering techniques, such as bogus security alert popups, to convince them to call the fake support call center.

One advantage of using phishing email, as Microsoft notes, is that it allows scammers to cast a wider net in addition to existing tactics.

Microsoft's data indicates that three million users each month are exposed to tech-support scams, with most of those affected coming from wealthier nations including the US, UK, Canada, Australia, France, and Spain.

The most widespread tech-support scam malware is known as TechBrolo, which Microsoft calls "support-scam malware on steroids", thanks to its use of a looping dialog box that effectively locks the browser, and an audio file that describes the supposed problem and urges the user to call a support number.

Microsoft notes Windows 10, Outlook.com, Edge, and Exchange Online Protection have a number of features that combine to block tech-support scams and threats targeting the inbox.

Edge can also stop dialog loops by allowing the user to prevent a specific page from creating more pages. Microsoft is also working on a feature for Edge that allows the user to close the browser or specific tabs when this is a popup or dialog message.

Finally, it's worth noting that Microsoft doesn't proactively reach out to users to offer unsolicited tech support. However, users can contact Microsoft via its real support page.

MORE ON WINDOWS 10 SECURITY
Windows 10 Fall Creators Update: What's coming on the security front

Microsoft will be adding a number of new security features to Windows 10 Fall Creators Update, but for Enterprise and Windows Server users only.

Windows 10: Microsoft's new Insider Preview is packed with security features

Microsoft doubles down on enterprise security features ahead of the Windows 10 Fall Creators Update.

Windows 10: Here's how Microsoft thinks Defender Security Center will make life safer

Microsoft has outlined how its new security app, due in the Creators Update, will bring together all Windows 10 security information and won't prevent you from using third-party antivirus.

From:http://www.zdnet.com/article/windows-10-security-heres-tech-support-scammers-latest-ploy-says-microsoft/

The privacy group says the FTC must investigate discrepancies in the company's privacy policy.

The Federal Trade Commission must investigate claims made against VPN provider Hotspot Shield for allegedly deceptive trade practices, according to a new filing by a prominent privacy group.

Among the chief allegations in the 14-page filing, the Washington DC-based Center for Democracy & Technology (CDT) said the VPN provider violates its "anonymous browsing" promise by intercepting and redirecting web traffic to partner websites, including advertising companies.

Hotspot Shield, which we profiled last year, enables its more than 500 million worldwide users to bypass state censorship as well as regional restrictions on websites and streaming services. David Gorodynasky, chief executive of the service's parent company AnchorFree, told ZDNet at the time that about 97 percent of his users run the free, ad-supported version of the software.

In an interview in our New York newsroom, Gorodynasky said that the company doesn't make money off its customers' data, instead opting for a "zero knowledge" approach to ensure that governments cannot request data on its customers that it doesn't store.

But that isn't the case, says the CDT in its filing. It's accusing the company of logging connections and using third-party tracking to serve targeted advertising.

"Hotspot Shield engages in logging practices around user connection data, beyond troubleshooting technical issues" by using a user's location and IP addresses to "improve the service, or optimize advertisements displayed through the service," the filing says.

The CDT is calling on the FTC to intervene under its authority to prohibit unfair and deceptive acts and practices.

The privacy group began investigating the case in April after Congress repealed broadband privacy rules, which would have prevented internet providers from selling browsing history data to advertisers. The surge in demand for VPN services following the repeal led the group to investigate Hotspot Shield, by far the largest provider for subscribers on the market.

The group partnered with researchers at Carnegie Mellon University to analyze the app and the service and found "undisclosed data sharing practices" with advertising networks.

"Further analysis of Hotspot Shield's reverse-engineered source code revealed that the VPN uses more than five different third-party tracking libraries, contradicting statements that Hotspot Shield ensures anonymous and private web browsing," said the complaint.

"Hotspot Shield also monitors information about users' browsing habits while the VPN is in use," it read.

The researchers also found that the app transmits some sensitive cell carrier information on mobile users over an unencrypted connection, the filing says.

VPN providers can be a godsend to anyone living in a region where state surveillance and censorship are rife, and merely a convenience to those who wish to conceal their internet history and browsing traffic from their internet providers -- and any law enforcement agency that comes along. But an inherent issue is that users have to trust their VPN providers as much, if not more than their internet provider not to also collect, monitor, or sell their data.

"People often use VPNs because they do not trust the network they're connected to, but they think less about whether they can trust the VPN service itself," said Michelle De Mooy, director of CDT's Privacy & Data Project. For many internet users, it's difficult to fully understand what VPNs are doing with their browsing data. That makes clear and accurate disclosures and practices essential."

De Mooy added that the service "fails to live up to its promises or meet the reasonable expectations of its customers."

Gorodyansky said in an email late Monday that he does "not agree" with the filling.

"We strongly believe in online consumer privacy," said Gorodyansky. "This means that the information Hotspot Shield users provide to us is never associated with their online activities when they are using Hotspot Shield, we do not store user IP addresses and protect user personally identifiable information from both third parties and from ourselves."

He also called the claims in the CDT's filing "unfounded."

"While we commend the CDT for their dedication to protecting users' privacy, we were surprised by these allegations and dismayed that the CDT did not contact us to discuss their concerns," he added. "AnchorFree prides itself on being transparent about its data practices and would be happy to engage in a discussion to clarify the facts and better understand the nature of the CDT's concerns."

From:http://www.zdnet.com/article/privacy-group-accuses-hotspot-shield-of-snooping-on-web-traffic/

Dubbed Bateleur, this malware uses with macro-laden phishing emails that allow attackers to take screenshots, steal passwords, and more.

A notorious hacking group is back with a new method of distributing Trojan malware, with the aim of creating backdoors into the networks of restaurant chains across the US.

Dubbed Bateleur -- after a breed of eagle -- by the researchers at Proofpoint who uncovered it, it's thought to be the work of Carbanak, a group that focuses its attacks on corporate targets.

The group has stolen over $1bn from banks worldwide and is thought to be behind a string of other attacks.

Carbanak has previously targeted hospitality organisations including retailers, merchant services, and suppliers. This time, however, it is attempting to infiltrate chain restaurants through a backdoor into their Windows systems, enabling the group to take screenshots, steal passwords, execute commands, and more.

In order to increase the chances of infection without being detected, the Javascript backdoor is accompanied by new macros, anti-analysis tools, and sandbox evasion techniques that help cloak its activity.

As with many cyberattacks, a phishing email is used to lure in the target. The message is sent from an Outlook address or a Gmail and claims to contain information about a previously discussed cheque in an attached Word document.

The attachment claims the document is encrypted and protected by 'Outlook Protect Service' or 'Google Documents Protect Service' depending on the email address sending the message. In both cases, names of authentic antivirus companies appear on the JScript document dropper in order to lure the victim into a false sense of security.

If the user is tricked into enabling editing of the document, the document accesses the malicious payload with a series of scheduled tasks, in an attempt to avoid detection.

Researchers describe the Jscript as having "robust capabilities" including anti-sandbox functionality and anti-analysis obfuscation. It's also capable of retrieving infected system information, listing running processes, execution of custom commands and PowerShell Scripts, uninstalling and updating itself, and taking screenshots.

In theory, Bateleur can also exfiltrate passwords, although this particular instruction requires an additional module from the command-and-control server in order to work. Currently, the malware lacks some of the features required to do this, and does not have backup servers, but researchers expect these to be added in the near future -- especially given the persistent nature of the attackers.

Proofpoint have identified Carbanak as the perpetrators of this campaign with "a high degree of certainty" due to some telltale signs.

Firstly, similar messages have been sent to the same targets, attempting to deliver messages containing GGLDR, a malicious script associated with Carbanak's VBScript malware.

Secondly, a Meterpreter in-memory DLL injection downloader script called TinyMet has been spotted being downloaded by Bateleur, and subsequently been used repeatedly by the group.

Researchers also note that the Powershell password grabber utilised by Bateleur contains a Dynamic-link library identical to the one found embedded in GGLDR samples.

"The Bateleur JScript backdoor and new macro-laden documents appear to be the latest in the group's expanding toolset, providing new means of infection, additional ways of hiding their activity, and growing capabilities for stealing information and executing commands directly on victim machines," Proofpoint researchers Matthew Mesa and Darien Huss said in a blog post.

From:http://www.zdnet.com/article/new-trojan-malware-attack-targets-restaurant-chains/

As the threat escalates, Australian Small Business and Family Enterprise Ombudsman has said knowledge of where small-to-medium businesses should turn in the event of a cyber attack is also unclear.

According to Kate Carnell, Australian Small Business and Family Enterprise Ombudsman, half of small-to-medium enterprises (SMEs) operating in Australia believe their limited online presence protects them from cybercrime.

However, Carnell believes the opposite to be true -- that the presence they have does make them a prime target for cyber criminals.

Speaking at the ASIAL Security Conference in Sydney last week, Carnell said a lot of SMEs don't think they have anything warranting a cyber attack, believing criminals instead would target the "big guys".

"They know the big guys have really cool systems and they know the little guys haven't," she explained. "Cyber criminals now are attacking small businesses as a result, very, very regularly."

A former pharmacy owner, Carnell said she employed a range of physical security practices, including multiple safes, as a way of preventing the bad guys from accessing both her business' money and medication. But now, she said the threat to a pharmacist is the world -- not just a few known local nuisances.

"Everybody can attack the computer system in a pharmacy," she said.

"Small business are attacked for a whole range of reasons, one is their systems are pretty low, their knowledge in the area is pretty low, they don't have in-house IT people, most people don't really understand this stuff at all ... and they have a tendency to pay accounts and invoices quickly. When you get a false account, they have a nasty habit of being paid."

According to the ombudsman, the average cost to businesses as a result of an online scam is about AU$10,000, with most of the scams coming in via email or phone.
30 percent of small businesses reported experiencing a cybercrime incident in the year to mid-2015 -- a 109 percent increase over the year prior. Carnell, however, is certain that figure was a lot higher as a lot of small businesses don't want to admit they've fallen victim.

Australia is a nation of small business operators -- defined by the ombudsman as business employing less than 20 employees and by the Australian Taxation Office as businesses turning over below $10 million.

In Australia right now, 97 percent of business are small businesses employing less than 20 employees -- that is 2.1 million individuals employed by a small business.

"The vast percentage of businesses in this country fall into that category," she said.

Carnell added that many do not have a chief operating officer, in-house lawyers, or IT folk. They don't really get cybersecurity even though they know it's a problem, and the CEOs are often actively running the day-to-day business with an office structure around them. As a result, cyber protection is often forgotten.

"This is starting to be a bigger impact among our economy ... than some traditional forms of crime," she explained, but noted that the challenge for many SMEs is they don't know how to protect themselves.

"The reason they don't know how to deal with it is that there's so much stuff in the space across government ... there's a lot of different parts of the federal government dealing in the cybersecurity space.

"But from a small business perspective, where do you go? Do you go to ASIC, the AFP, Scamwatch, the ATO?"

Previously, Opposition Leader Bill Shorten said that millions of SMEs in Australia need the federal government to help them stay safe in the digital world.

"They need [help] in the way that's simple enough for them to incorporate it into their business and that they can afford," Shorten said, addressing Parliament in November. "This means having the resources to design cyber defences for products, processes, and people."

With grants of up to AU$2,100 becoming available next year to SMEs to support a cybersecurity IT system, Carnell said Australia is still a mile away from small businesses knowing where they have to go to report and what they have to do to be safe.

"60 percent of small businesses that have a major cyber attack go broke within 12 months," she said.

"This is a huge problem and it's a major opportunity for the cybersecurity industry."

From:http://www.zdnet.com/article/ombudsman-says-smbs-are-a-growing-target-for-cybercrime-in-australia/

Despite two large cyber attacks making headlines in the first six months of 2017, the security firm is still finding cybersecurity responsibility lies solely with the underfunded IT team.

With the WannaCry ransomware and Petya malware attack recently causing damage to organisations worldwide, even halting chocolate production at Cadbury's Hobart factory, security firm Bitdefener has urged organisations to assist IT teams in preparing for, and mitigating against, future attacks.

According to Bogdan Botezatu, senior e-threat analyst at Bitdefender, organisations need to have mitigation in mind as it's a matter of when an attack happens, not if.

Speaking with ZDNet while visiting Sydney from Romania, Botezatu said organisations first need to understand what type of security they need and not overlook any aspect, while also trying to see through the noise, such as marketing buzzwords and an over-saturated cybersecurity industry.

"An enterprise has a diverse range of technologies ... all these are potential threats," he explained. "It's no use for you to have the best end-point security solution if your payment processor in the cloud is left open."

Botezatu said a standard IT team finds itself constantly under fire, and it's important that the responsibility doesn't just lie with them.

"They have external attacks, they have users inside who need technical support -- the IT team needs to always be on the lookout to help non-tech savvy departments ensure they don't shoot themselves in the foot by opening [an executable] promising kittens," he explained.

"They don't have time to monitor 60 security solutions ... because everything is on fire around them and their time needs to go to good use."

With organisations, particularly in Australia, relying heavily on cloud-centric applications, it results in most of an organisation lying outside of the physical boundaries of the HQ. As a result, Botezatu said many organisations are running security solutions built for on-premises protection, noting the solutions don't translate well into the virtualised world.

Despite claims that some organisations have employed services from over 80 security vendors, Botezatu said the majority of attacks start with some form of social engineering targeting an organisation's employees.

To Botezatu, education is an organisation's greatest defence mechanism.

"You need to encourage the user to adopt security best practices and to stay aware about what they're allowed to do with company property," he explained, noting it's better to speak with them in order to prevent, rather than to punish.

"This is probably the most basic security measure ... make them understand what you're trying to achieve."

Botezatu said that while educating the people within an organisation is free, in many organisations, the sentiment is falling on deaf ears.

"That's one of the issues with the industry, that most of the IT workforce is mobilised to plugging phones into the infrastructure rather than getting some coffee time with people to understand what they are trying to protect the organisation against," he said.

"Very few people would hazard to do stupid stuff on company resources if they knew they were harming the company, with the exception of disgruntled employees.

"People will lend you a helping hand to protect your organisation if you told them your organisation needs protecting, but usually, the IT guy comes among the masses saying, 'hey guys, you know nothing about security, you need to do that, that, and that -- otherwise I'm suspending you'."

He said as an employee, individuals need to be a part of the cybersecurity effort, not trying to outsmart the IT guy who has disallowed access to Facebook.

"I'm still waiting for when the CIO will have a solid place at the board table," he added. "It's not happening and the finance department is pulling all the strings."

Although estimations suggest an organisation should be spending 20 percent of its yearly revenue on cybersecurity-related initiatives or products, Botezatu said it's rarely the case.

It's a trend experienced globally, he added, especially in the public sector where the lowest bid always wins.

From:http://www.zdnet.com/article/bitdefender-organisations-must-empower-it-staff-to-mitigate-cyber-threats/

No More Ransom launched a year ago: here's the story of how cybersecurity firms and law enforcement are working together to bring down ransomware.

Ransomware is a huge problem. While the recent WannaCry and Petya attacks brought the file-encrypting malware to the attention of a global audience twice in as many months, ransomware has been rising up the list of corporate cybersecurity headaches for years.

During 2016 alone, ransomware attacks cost victims over $1bn thanks to simple the fear tactics it employs: pay up, or we delete all your data. In many instances, organisations are willing to give in and pay the cybercriminals.

Law enforcement organisations and cybersecurity companies around the world have attempted to do what they can to disrupt ransomware -- whether through takedowns of cybercriminal gangs by the authorities or security companies finding and providing decryption keys.

But this disjointed approach can only get so far in the modern hyper-connected world in which criminals cooperate across international borders and time zones.

It's why the No More Ransom initiative was launched a year ago, with the idea of bringing together law enforcement and private industry to combine efforts in the fight against cybercrime.

"It's the idea of everyone bringing what they're best at to the table to jointly try and tackle the biggest threat that we see out there," says Steve Wilson, head of Europol's Cybercrime Centre (EC3).

Launched jointly by Europol, the Dutch National Police, McAfee (then Intel Security), and Kaspersky Lab on July 25 2016, No More Ransom provided keys to unlocking encrypted files, as well as information on how to avoid succumbing to ransomware in the first place.

The portal initially provided decryption tools for four ransomware families: Shade, Rannoh, Rakhn, and CoinVault. It was collaborative work on decrypting CoinVault that led to the creation of a precursor to No More Ransom.
"We were working on CoinVault and did a lot of work with the Dutch police, and we were able to identify the command and control servers the cybercriminals were using," says David Emm, principal security researcher, Kaspersky Lab.

The operation led to Kaspersky uploading free-to-use decryption keys to a website and it took off from there. "It was really successful and this was just one and part of a wider trend, so we wanted to establish wider involvement," he says.

McAfee agreed that this collaboration -- both between competing private firms and the authorities -- was the way forward in the fight against the escalation of ransomware.

"There was just a sense that what would be nice would be to have an initiative to collaborate and work together on. But also to have a single point that people could go to when we create free decryption tools," says Raj Samani, chief scientist at McAfee.

That single place was the No More Ransom portal, which since its launch has been hosted by Amazon Web Services and Barracuda Networks -- and if it wasn't for cloud-hosting, the website would have been overwhelmed on its first day.

"Part of my responsibility was to find a hosting provider and I remember at the time I was asked how many HTTPs requests do you think you'll get a day and I thought 12,000 a day would be reasonable," says Samani.

"On day one we had 2.7 million -- then during one day, the weekend of WannaCry, we had eight million hits in a single day, so it's much bigger than we ever thought."

Following the initial success of the initiative, seven more cybersecurity firms have since joined as associate partners -- Bitdefender, Check Point, Trend Micro, Emisoft, ElevenPaths, Avast and Cert.PL -- each contributing to the development of decryption keys.

Dozens of law enforcement agencies -- including Interpol, Enisa and the NCA -- have also become actively involved in the scheme, which also receives additional support from dozens of security firms. There's now 109 partners in total and for Wilson, the more involved, the merrier: "The more people we get to contribute, the better this resource is going to be," he says.

Cybercrime is a global problem, but while there is more international cooperation between law enforcement agencies than there's been before, rules and regulations mean that sometimes the authorities can't act as quickly as they'd like.

That's a disadvantage against global crime gangs, but private cybersecurity firms can be more flexible, enabling the No More Ransom operation to take the fight to cybercriminals at a faster pace by releasing decryption tools as and when they're developed.

"Law enforcement agencies have restrictions that criminals don't -- they have the logistics of paperwork. Whereas at least under the umbrella of a project like this, there's nothing to slow it down," says Emm.

It's difficult to quantify the exact number of decryptions which have occurred thanks to downloads from No More Ransom -- the portal just provides links, it doesn't monitor what happens next -- but it's thought that over 28,000 decryptions have taken place using the tools, saving millions from being paid to cybercriminals in the process.

"It really strongly justified a single response to this rather than over each country trying to develop something themselves," says EC3's Wilson.

No More Ransom doesn't discriminate about what decryption tools are added to the portal -- sometimes these come in batches, sometimes individual decryptors are uploaded as and when they're made available -- but how does this happen?

There are a number of ways. The first is if encryption keys simply get leaked. Indeed, an example of this occurred just hours after the launch of No More Ransom when the cybercriminal gang behind the Petya ransomware -- long before it caused a global incident -- leaked 3,500 decryption keys for a competing form of ransomware, Chimera. "We were able to grab them and create a tool," says Samani.

But most of the time, decrypting ransomware comes down to hard work, with cybersecurity firms and the authorities working together in order to identify ransomware variants and crack codes.

"Working with law enforcement, we identify the infrastructure, go through the proper legal process to seize the key server and extract the decryption keys," says Samani. That's how Shade ransomware was decrypted, resulting in 165,000 decryption keys being made available.

That's where the aid of law enforcement especially comes in -- a cybersecurity firm can't walk in and seize a botnet, but they can aid in its takedown, as was the case with Operation Avalanche, which took down a prominent malware botnet.

"On the offensive side from us, tackling the actual business model of ransomware-as-a-service and very much going after the large scale perpetrators of cybercrime is very much what we're trying to do," says Wilson.

Naturally, the very existence of No More Ransom has irked malicious actors. "Analysis of the chatter on underground forums shows how angry they are," says McAfee's Samani. "We even had a ransomware variant named after us -- there's an extension that had been encrypted as NoMoreRansom."

So the portal is required to have the best defences possible in order to prevent attacks against it.

"We've got to do all the normal housekeeping things to keep it secure. We've got to pen test it to ensure that it's as secure as we can make it. People are going to want to stop it, we need to make it as resilient as we can," says David Emm.

That's where Barracuda Networks and Amazon Web Services come in -- both powering the portal and keeping it safe from attackers -- in the spirit of cooperation on which No More Ransom is based.

"I'm blown away by how open and collaborative we've been. AWS, for example, hosting it for free, it's incredible, it's probably the most targeted website in the world and they've said OK, no arguments," says Samani.

A year on from the launch of No More Ransom, what's the project's future? An anniversary update includes more decryption tools and the website translated into even more languages to reflect the global interest in the project and to help users and businesses around the world.

The platform is now available in 26 languages, with the most recent additions Bulgarian, Chinese, Czech, Greek, Hungarian, Indonesian, Malay, Norwegian, Romanian, Swedish, Tamil and Thai.

Ransomware is a major problem and while no one is under any illusion that the project is going to eliminate the problem, those behind it are doing all they can to educate against the dangers of ransomware and provide aid against it.

"We totally accept that this isn't a panacea; there's always going to be a lag time between us being able to assist, but we're trying to make that difference," says Wilson.

That's no small task, given ransomware is ever-evolving - and things are likely to get worse before they get better.

From:http://www.zdnet.com/article/no-more-ransomware-how-one-website-is-stopping-the-crypto-locking-crooks-in-their-tracks/

Numerous oversights have been found in how the country's government agencies managed its IT systems, including unapproved administrative changes and unauthorised access by external vendors.

Numerous lapses have been uncovered over how Singapore government ministries and agencies managed their IT systems, which include unapproved administrative changes and unauthorised third-party access.

These oversights were highlighted by the Auditor-General's Office (AGO) in its annual audit of government accounts for the fiscal year, ended March 31, 2017. The assessment covered eight areas including procurement and payment, financial controls, IT controls, and contract management. All 16 government ministries, 12 statutory boards, and five government-owned companies were among those audited.

The AGO said it identified weaknesses in IT controls across several public sector entities, some of which were similar to those highlighted in previous audits.

"The lack of attention to these areas observed in some entities is of concern in view of the public sector's high dependency on IT systems and data for government operations, and the fast-evolving IT security threats," it noted in its report released Tuesday.

The office added that IT was widely used across Singapore's public sector to manage financial transactions, engage with citizens and businesses, as well as enhance work productivity. These government bodies also manage large volumes of data containing personal and other sensitive information.

Amidst a landscape where cybersecurity threats were increasing, the AGO underscored the need for Singapore's public sector to adopt effective measures to safeguard their IT systems and data.

In its report, it noted several lapses in IT controls under the purview of the Central Provident Fund Board (CPFB), Singapore Corporation of Rehabilitative Enterprises (SCORE), the National Parks Board (NParks), and the Ministry of Social and Family Development (MSF).

The CPFB, for example, failed to monitor its IT security systems and unauthorised changes to its databases and systems. During test checks of system logs over three months, the AGO determined that 88.7 percent of changes made by CPFB administrators were not pre-approved. Alert reports generated for review by an IT security monitoring system also were incomplete.

In addition, 14 user accounts were not removed promptly after employees had left the board. Of these, six accounts were used after the staff's last working day and the identities of those who accessed the accounts could not be determined.

Similar lapses were found at NParks, which did not remove access rights of 104 suspended user accounts after the employees had left the organisations, some as far back as a decade ago.

Over at MSF, which was monitored over 11 months, 595 instances of access by its IT vendor team were found to be inappropriate and should have required further investigation. In fact, 560 instances involved the IT vendor's use of a privileged system user account--that did not belong to the vendor--to access the MSF systems.

"These violations of IT controls could compromise the confidentiality and integrity of the data in the systems, resulting in leakage of information or corruption of data used for computation of bonuses or subsidies under the schemes [processed by MSF]," the AGO said.

In its response, Singapore's Ministry of Finance said the government's "overall system of managing public funds remains sound", but it acknowledged there was room for improvements as identified by the AGO report, including in IT controls.

"While we recognise it is not possible to completely eliminate individual human lapses, errors or misjudgement, the public service is taking a concerted effort to address the issues identified... Heads of the agencies responsible have reviewed each case and where warranted, appropriate actions have been or will be taken against those responsible," the ministry said.

In the its audit last year, the AGO rapped the Ministry of Law for not properly monitor and review logs containing activities carried out by external IT vendors, specifically, those involving IPTOBis servers. These systems were used by the law ministry to manage cases pertaining to its insolvency, public trustee, and related regulatory functions. Proper reviews of the activity log would have enabled the ministry to detect any unauthorised system access or change, the AGO said, adding that 44 user accounts temporarily provided to IT vendors had not been removed after these were no longer required.

GOVERNMENT OUTLAWS USE OF UNAUTHORISED USB DRIVES
The AGO report followed a week after the Singapore government unveiled its draft cybersecurity bill, outlining new legislations that would require operators of local critical information infrastructures to take steps to safeguard their systems and swiftly report threats and incidents. Released by the Ministry of Communications and Information (MCI) and Cyber Security Agency (CSA), the proposed new laws also would facilitate information sharing across critical sectors and require selected service providers as well as individuals to be licensed.

Last week, the Government Technology Agency (GovTech) announced that all government employees from July 25 would be able to use only authorised USB storage drives. A pool of portable storage devices that catered to the government's security requirements would be made available to public servants on a "working need basis", the government's CIO office told local media. It added that other tools such as file transfer devices also would be provided to government agencies.

GovTech said: "USB storage devices continue to be a means to introduce malware and exfiltrate data, especially as they have the potential to be easily misplaced."

The latest move came more than a year after the government said it would restrict internet access amongst its 143,000 public servants, allowing them to access only the intranet and work e-mail via their workstations.

Full online access would only be provided via designated terminals, though, the government employees still would be allowed to browse the web via their own personal mobile devices, which would have no access to work e-mail systems.

From:http://www.zdnet.com/article/singapore-government-uncovers-lapses-in-it-systems-control/

Security threats can come from a variety of different individuals and groups. Here's a field guide to the major players.

Cybercriminals are as varied as other internet users: just as the web has allowed businesses to sell and communicate globally, so it has given fraudsters the ability to plunder victims anywhere and set up crime networks that, previously, would have been impossible.

The web has become central to the smooth running of most developed economies, and the types of cybercrime have changed too. While 15 years ago the majority of digital crime was effectively a form of online vandalism, most of today's internet crime is about getting rich. "Now the focus is almost entirely focused on a some kind of pay-off," says David Emm, principal security researcher at Kaspersky Lab.

That's causing significant costs to businesses and consumers. IBM and Ponemon Institute's 2016 Cost of Data Breach Study found that the average cost of a data breach for the 383 companies participating increased from $3.79m to $4m over 2015: the average cost paid for each lost or stolen record containing sensitive and confidential information increased from $154 in 2015 to $158. All the organisations in the survey had experienced a data breach ranging from 3,000 to 101,500 compromised records, and the majority of the leaks were down to malicious attacks (as with many types of crime, the costs of cleaning up can be vastly higher than the loot that the hackers manage to get away with).

Data breaches aren't the only costs to business of online criminals: the FBI calculates that CEO email scams -- where criminals pose as senior execs and persuade finance managers to transfer huge sums to phoney bank accounts -- have hit tens of thousands of companies and cost over $3.1bn since January 2015.

There's a significant cost to business of protecting against attacks, too: according to analyst firm Gartner, worldwide spending on security products and services will reach $81.6bn (£62.8bn) this year, up eight percent year-on-year thanks to increasingly sophisticated threats and a shortage of cybersecurity professionals.

Most internet crime is motivated by a desire for profit -- stealing banking credentials or intellectual property, or via extortion for example. But as online crime has grown it has also evolved -- or mutated -- into a set of occasionally overlapping groups that pose distinct threats to organisations of different sizes.

These groups have different tools, objectives and specialities, and understanding this can help defend against them.

Disorganised crime
"The bulk of cybercrime is the equivalent of real-world opportunist thieves," says Emm. These are the crooks you're most likely to come across, or at least feel the impact of, as an individual -- the petty criminals of the online world. They may spew out spam or offer access to a botnet for others to run denial-of-services attacks, or attempt to fool you into an advance-fee scams where the unwary are promised a big payday in return for paying (often a substantial) sum of money up-front.
One big growth area here is ransomware: "The return on investment in the criminal ecosystem is much better if you can get your victims to pay for their own data," said Jens Monrad, global threat intelligence liaison for FireEye.

Still, basic IT security is often enough to keep this sort of crime at bay: encrypting data, using anti-malware technologies and keeping patching up to date means "you're going to be in fairly good shape," according to Kaspersky's Emm.

Organised crime
"The twenty-first century digital criminal is best characterised as a ruthlessly efficient entrepreneur or CEO, operating in a highly developed and rapidly evolving dark market...they are a CEO without the constraints of regulation or morals," warned a recent report from KPMG and BT entitled Taking the Offensive.

These groups will have a loose organisation and may utilise many contractors -- some expert at developing hacking tools and vulnerabilities, others who will carry out the attack and yet others who will launder the cash. At the centre of the web is a cybercrime boss with the ideas, the targets and the contacts.

These are the groups with the capability to mount attacks on banks, law firms and other big businesses. They might execute CEO frauds, or simply steal vital files and offer to sell them back again (or sell them on to unscrupulous business rivals).

According to European law enforcement agency Europol in its 2015 Internet Organised Crime Threat Assessment, there is now some overlap between the tools and techniques of organised crime and state-sponsored hackers, with "both factions using social engineering and both custom malware and publicly available crimeware". Organised cybercrime groups are also increasingly performing long-term, targeted attacks instead of indiscriminate scatter-gun campaigns, said the agency.

When nation states use a technique it usually takes around 18 to 24 months for that to filter down to serious and organised crime.

"One of the challenges for the ordinary company is the level of the adversary continues to get more sophisticated because they are able to get access to more of the technologies than they would have been able to do in the past", said George Quigley, a partner in KPMG's cyber security division.

And it's not just the big companies that may be at risk. "You could be forgiven as a small business for thinking 'I'm not one of those guys, why would somebody want my network?' -- but you are part of somebody's supply chain," said Kaspersky's Emm.

Hacktivists
These may be individuals or groups driven by a particular agenda -- perhaps a particular issue or a broader campaign. Unlike most cybercriminals, hacktivists aren't out to make money from their exploits, rather to embarrass an organisation or individual and generate publicity. This means their targets may be different: rather than a company's accounts system or customer database, they may well want to access embarrassing emails from the CEO or other company officials.

Terrorists
Despite the hype, the threat from cyber terrorism remains low, largely because these groups lack the skills, money and infrastructure to develop and deploy effective cyber weapons, which only the largest nations can hope to build. "Terrorist sympathizers will probably conduct low-level cyber attacks on behalf of terrorist groups and attract attention of the media, which might exaggerate the capabilities and threat posed by these actors," said US director of national intelligence James Clapper in his assessment of worldwide cyber threats in September last year.

State-backed hackers
While standard criminality accounts for the vast majority of cyber threats, the use of the web by state-sponsored hackers has been widely publicised in recent years. Much of this takes the form of cyber espionage -- attempts to steal data on government personnel or on expensive defence projects. Governments will spend millions on developing all-but-undetectable ways of sneaking onto the systems of other nations -- or those of defence contractors or critical national infrastructure -- and these projects may take years of development.

"Networks that control much of our critical infrastructure  --  including our financial systems and power grids  --  are probed for vulnerabilities by foreign governments and criminals," warned President Obama last year, blaming Iranian hackers for targeted American banks and North Korea for the attack on Sony Pictures that destroyed data and disabled thousands of computers.

Like hacktivists, state-sponsored groups aren't usually seeking financial gain. Rather, they are looking to support the policies of their government in some way -- by embarrassing another government by revealing secrets, or by gaining a potential strategic advantage, for example.

Worse, nation-state hackers may be interested in creating physical effects by digital means -- bringing down a power grid or forcing open the doors of a dam at the wrong time, for example. This is where cybercrime tips over into cyberwarfare.

"The management and operation of critical infrastructure systems will continue to depend on cyber information systems and electronic data. Reliance on the power grid and telecommunications will also continue to increase, as will the number of attack vectors and the attack surface due to the complexity of these systems and higher levels of connectivity due to smart networks. The security of these systems and data is vital to public confidence and safety," says Europol.

With the emergence of the Internet of Things (IoT) -- where everyday objects from thermostats to home security systems -- can be controlled online, the risk of well-funded groups attempting to hack into these devices increases. If your organisation is being attacked by state-sponsored groups, keeping them out is likely to be extremely difficult: you should consider how to limit the damage, by segmenting networks and encrypting sensitive data, for example. Concentrating on blocking at the perimeter will not be enough.

Insider threats
With all the focus on external threats, is it possible that companies are forgetting a danger much closer to home?

"There's been an awful lot more issues being driven from insiders of late. One of the challenges is that when people think cyber they automatically think external," says KPMG's Quigley. Confidential company documents stored on shared drives and weak internal controls on who can access data mean that the disgruntled or greedy insider could still be one of the biggest risks to businesses. "They should have insiders much higher on the radar than they do," Quigley warns.

Blurred lines
In reality there's a lot of overlap between these groups, in personnel, the tools they use and the targets they choose. "The cyber threat landscape is becoming a much more complicated environment to do attribution or explain attacks," says FireEye's Monrad.

However, most breaches start in the same way, says Kaspersky's Emm: "What they have in common is how they get their initial foothold through tricking individuals into doing something that jeopardises security: click on a link, open an attachment, give out some confidential information." It's vital to educate staff and close obvious holes: through to 2020, 99 percent of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year, according to Gartner.

What's certain is that, as the internet becomes even more essential to our day-to-day lives, the potential for cyber criminals to make money will only increase.

From:http://www.zdnet.com/article/cybercrime-and-cyberwar-a-spotters-guide-to-the-groups-that-are-out-to-get-you/

Phishing emails, used to steal credentials from critical infrastructure firms, can silently harvest data without even using macros, researchers have warned.

Hackers are targeting energy companies, including those working in nuclear power and other critical infrastructures providers, with a technique that puts a new spin on a tried-and-tested form of cyberattack.

Phishing has long been a successful method of attack, with cybercriminals crafting a legitimate-looking email and sending it to the intended victim along with a malicious attachment. Once executed, it runs code for dropping malware, which can be used for ransomware, stealing data, or another form of attack.

But now attackers can run phishing campaigns without malicious code embedded in an attachment, instead downloading a template file injection over an SMB connection to silently harvest credentials, according to researchers at Talos Intelligence.

While the attack method is currently only used to steal data, researchers warn it could be employed to drop other malware.

It's the latest in a string of attacks which have exploited SMB flaws -- although, unlike Petya or WannaCry, there's no known relation between this and EternalBlue, the leaked NSA windows exploit which has been used to carry out global ransomware attacks.

Cyberattacks against critical infrastructure are not a new phenomenon, and since May 2017 hackers have been using this new technique to target energy companies around the world, predominately in Europe and the US, with the goal of stealing the credentials of those working in critical infrastructure. It's not yet known who is behind the attacks or where they're based.

Like other phishing campaigns, this attack uses emails relevant to the targets as a lure. In this instance, the emails often claim to be environmental reports or a CV, and come with an attached Word document that attempts to harvest data when opened.

Researchers say these documents initially contained no indications of compromise or the malicious macros associated with this sort of campaign. However, the attachments instead look to download a template file from a particular IP address which researchers found, instead of code, contained instructions for a template injection, establishing the connection to an external server over SMB.

However, while the attack is performed by exploiting SMB, the phishing itself is handled over HTTPS, and the user credentials are harvested via Basic Authentication with a prompt for the credentials.

Talos has responded to the attacks by contacting affected customers and ensuring "they were aware of and capable of responding to the threat".

The researchers also say this threat "illustrates the importance of controlling your network traffic and not allowing outbound protocols such as SMB except where specifically required for your environment".

However, Talos says it is unable to share all indicators of compromise or who specifically has been targeted due to the "the nature in which we obtained intelligence related to these attacks".

From:http://www.zdnet.com/article/hackers-are-using-this-new-attack-method-to-target-power-companies/

Majority of local companies seek expert help in cybersecurity, but 56 percent do not have systems to trigger alerts of unusual activities and 40 percent do not have incident response plans.

The majority of organisations in Singapore recognise the importance of cybersecurity, but fewer are adequately prepared to deal with incidents or have the necessary response plan in place.

Some 91 percent said they sought guidance from cybersecurity experts, but 75 percent did not have dedicated IT security budgets and planning processes, according to a survey released by local security vendor Quann, and jointly conducted with IDC. The study polled 150 senior IT professionals from medium to large companies in Singapore, Hong Kong, and Malaysia. Of this, 57 were from Singapore, while 52 were from Malaysia, and 41 from Hong Kong.

Some 56 percent in Singapore did not have security intelligence systems that could trigger alerts for any unusual activities, and 54 percent did not have a security operations centre or dedicated team to monitor and respond to incidents flagged by systems.

Some 32 percent had security support only during work hours, while 25 percent had this only during the work week. Another 40 percent did not establish any incident response plans in case of cybersecurity attacks and 33 percent required all employees including the CEO to participate in awareness training.

Furthermore, 16 percent would invite executives to board meetings and involve them in risk assessment.

IDC's Asia-Pacific vice president of IT security practice, Simon Piff, said: "Not all C-suites in Asia are fully conversant with the fundamentals of a robust cybersecurity strategy and the appropriate investments. Cybersecurity investments are akin to military spending--we do it in the hope that we would never have to use the tools.

"They need to understand that this is not a business ROI (returns on investment) with immediate, visible returns. However, the consequences of not taking a proactive approach now could lead to legal disputes, customer dissatisfaction, and even loss of jobs and careers at all levels in the organisation," Piff said.

Quann's managing director Foo Siang-tse added that many companies, despite the obvious threats, were not investing enough in IT security, leaving them vulnerable. "The recent WannaCry and Petya ransomware incidents are just the tip of the iceberg. Companies need to recognise that having a comprehensive security plan, comprising detection systems, robust processes, and equipped individuals are critical in enabling them to detect threats early and mitigate their impact," Foo said.

From:http://www.zdnet.com/article/singapore-firms-recognise-cybersecurity-importance-but-not-armed-for-it/