01Apr

Prediction: mobile phones will not exist in 10 years The ‘Internet of Bodies’ is upon us.

April 1, 2022By 0 comment

Mobile phones will not exist in ten years’ time, a data scientist and futurist has predicted in calling out the breakneck pace of the “absolutely game-changing” Industry 5.0 paradigm that she called “not the Internet of Things, but the Internet of Bodies”.

“Lots of people are talking about the new normal, but the new normal in the world of emerging technologies is every week,” Dr Catherine Ball, a data scientist and systems engineer at Australian National University, said in a keynote to the ADMA Global Forum.

“We are now working with exponential and bleeding-edge technologies that are moving so fast that we don’t even have the words to describe what they actually mean.”

As distinct from Industry 4.0 – an industrial paradigm built around the idea of highly-connected, self-monitoring and self-optimising production processes that lean heavily on IoT sensors – Industry 5.0 will be based on convergence of data and human-centric technologies that will dramatically change the way people interact with services, with the world around them, and each other.

Noting that ANU scientists have already produced mobile phones as thin as a piece of paper, Ball said today’s human-focused technology was rapidly being subsumed into wearable and implantable devices that would make phones as standalone devices redundant.

Innovations such as the smart contact lens – conceptualised by Google in 2013 and recently demonstrated by South Korean researchers – will allow people to “project what we want to see, not what is,” Ball said.

Rather than using smart mirrors to virtually try on clothes and accessories, for example, an Industry 5.0 approach would see a composite image projected directly onto the wearer’s contact lens – or, as is being increasingly discussed, directly into a digital metaverse where responsive avatars can interact with highly detailed simulacra of real-world or imaginary spaces.

 

Those digital environments aren’t just about marketing, however: with increasingly detailed digital twins becoming commonplace, metaverse interaction will allow people to interact with real-world systems in new ways.

Large-scale digital twins of a country like Vanuatu, Ball said, would even allow weather scientists and emergency-response specialists to simulate the impact of different extreme weather scenarios.

“It’s about convergent technologies,” Ball explained. “It’s about how the future is more than the sum of the parts – and before we even start talking about the metaverse, how we’re going into a space where data is being produced and consumed in ways that we have never done it before.”

Get data right before it does you wrong

Yet for all the promise of Industry 5.0, the burden of collecting, managing, and utilising the data was posing new challenges as brands consider how to re-engage with consumers that are retraining themselves for life in the “post-plague economy”.

“We’re at a tipping point,” Ball said, warning marketers that trust will be crucial in rebuilding those relationships – and that laying down a coherent and effective data management strategy is critical to achieving that trust.

“In the last two years we’ve connected online in ways that we’ve never connected before physically,” she said, “so how do you maintain those relationships and maintain those personal trusts?”

“This isn’t about just shoving ads at people,” she continued. “This is actually working how we are as individuals going to be, as a human concept, producing data that you might be collecting, but also consuming data that you might be producing.”

“We’re going from technology and device-led conversations to social function and social license – and ethically driven ways of working.”

Use of data for the common good – for example, in better understanding natural disasters like the current Lismore floods, or modelling bushfires to better manage outcomes and minimise human impact – will be a key output of Industry 5.0, Ball said.

Yet faced with “data tsunamis” from the sheer volume of multi-modal, multi-platform data now being collected and used, she added, companies needed to consider practical issues – for example, whether they should invest in sovereign data capabilities and how they can ensure that their use of AI respects ethical and moral norms.

READ MORE
31Mar

A Lack of Employee Cyber Hygiene is the Next Big Threat

March 31, 2022By 0 comment

A new report suggests that everything from endpoints, to passwords, to training, to security policies, to a lack of awareness is all contributing to much higher risk of cyberattack.

Employee cyber risk is a multifaceted issue that revolves a lot around cyber hygiene, according to new data in Mobile Mentor’s inaugural Endpoint Ecosystem Report. It involves a number of issues that organizations are going to need to address effectively and quickly.

A few issues I really want to highlight here include passwordsdevice use, and a lack of proper trainingDespite most phishing attacks focusing on credentials, employees still have terrible password hygiene:

  • Gen-Z employees have more than 20 work passwords and type more than 16 passwords daily
  • 69% of employees admit to choosing passwords that are easy to remember
  • 29% of employees write their passwords down in a journal
  • 24% store passwords in a Notes app on their phone

But the device is secure, right? Wrong.

Only 43% of organizations have BYOD securely enabled, with just one-third of employees able to securely access corporate systems, data, and apps from personal devices. With 64% of employees using a personal device for work, this is a massive risk.

So, these companies are making up for it by properly training their employees about cyberattacks, vigilance, good hygiene, etc., right? Again, wrong.

According to the report only 25% of in-office workers receive security training monthly. Remote employees have it a bit better (with 43% receiving training), but it’s evident by just the poor password hygiene that organizational leadership isn’t taking this seriously and aren’t looking to elevate the individual employee’s mindset around the need to be secure while working – and the employee’s role in helping to maintain that state of security.

Those organizations focused on continual Security Awareness Training demonstrate a commitment to seeing every aspect of the employee’s interaction with corporate resources, applications, and data on the one hand (with email and the web on the other) be as secure as possible – starting with the employee’s own awareness being elevated to a state of vigilance to ensure better cyber hygiene and a more secure organization.

READ MORE
29Mar

Email Conversation Hacking to Distribute Malware

March 29, 2022By 0 comment

Researchers at Intezer warn that attackers are hijacking email conversations to distribute the IcedID banking Trojan. This technique makes the phishing emails appear more legitimate and helps them bypass security filters.

“In the new IcedID campaign we have discovered a further evolution of the threat actors’ technique,” the researchers write. “The threat actor now uses compromised Microsoft Exchange servers to send the phishing emails from the account that they stole from. The payload has also moved away from using office documents to the use of ISO files with a Windows LNK file and a DLL file. The use of ISO files allows the threat actor to bypass the Mark-of-the-Web controls, resulting in execution of the malware without warning to the user. With regards to targeting, we have seen organizations within energy, healthcare, law, and pharmaceutical sectors.”

The researchers explain that conversation hijacking is “a powerful social engineering technique” because the phishing email appears to be coming from a trusted contact.

“The attack-chain starts with a phishing email,” the researchers write. “The email includes a message about some important document and has a password protected ‘zip’ archive file attached. The password to the archive is given in the email body…. What makes the phishing email more convincing is that it’s using conversation hijacking (thread hijacking). A forged reply to a previous stolen email is being used. Additionally, the email has also been sent from the email account from whom the email was stolen from.”

While this tactic isn’t unique to this threat actor, the researchers note that this development shows that the attackers are continuing to improve their operations.

“In the current mid-March campaign, we have discovered reuse of the same stolen conversation now being sent from the email address that received the latest email,” Intezer says. “Back in January when this conversation was also used, the “FROM” address was “webmaster@[REDACTED].com” with the name of the recipient of the last email in the conversation. By using this approach, the email appears more legitimate and is transported through the normal channels which can also include security products.”

New-school security awareness training can enable your employees to thwart social engineering attacks.

READ MORE
28Mar

Buy Now, Pay Later Scams

March 28, 2022By 0 comment

Fraudsters are taking advantage of the buy-now, pay-later (BNPL) payment model, according to Jim Ducharme, COO of Outseer. On the CyberWire’s Hacking Humans podcast, Ducharme explained that scammers can either impersonate victims or take over their accounts in order to make fraudulent purchases.

“In some cases, you know, it’s really what’s old is new,” Ducharme said. “Attackers are using a lot of the same techniques they used before, either account takeover or, in some cases, a new type of fraud called synthetic identity fraud. And what that really is, in synthetic identity fraud, when a fraudster goes to check out, they’ll use social engineering or other means to basically steal somebody’s identity and pretend to be you and just have the merchandise shipped to them. So, we see this quite a bit where, you know, somebody creates an identity or uses a synthetic identity to pretend to be somebody, get that installment plan, purchase the goods and services, and then by the time fraud is detected, the rip-off has already happened, if you will. In the case of account takeover, you know, again, a similar sort of thing where people are stealing credentials or ways to get into an account so that they can again enable this new way to pay and basically steal those goods and services using somebody else’s account or identity.”

Ducharme added that these BNPL providers may also be more susceptible to fraud because they have less experience than traditional credit card companies.

“With your credit card, as you probably know, the consumer is typically not responsible for the fraud, and the credit card company’s responsible for that,” Ducharme said. “And so they’ve put a number of controls in place to help prevent fraud and mitigate that risk. And so what we’re seeing is in – you know, with these new buy-now, pay-later methods, you know, we have to look at those same things. And in these cases, these buy-now, pay-later companies are typically going to be held liable to that fraud. But, again, some of the newer companies don’t necessarily have the decades of fraud prevention capabilities in place or even the sophistication of the new attack patterns of, you know, fraud at the point of an account enrollment versus what we’re typically, you know, what we’ve traditionally done for fraud prevention at the point of a transaction.”

New-school security awareness training can give your employees a healthy sense of suspicion so they can avoid falling for social engineering attacks.

READ MORE
25Mar

Fidelity: “Why cybersecurity is material to all industries”

March 25, 2022By 0 comment

Fidelity just published an article titled “Cybersecurity: A growing risk”. They note that the threat of Russian cyberattacks highlights vulnerabilities across industries. I’m quoting a small section and I suggest you read the rest of the article here.

Why cybersecurity is material to all industries

At Fidelity, we view cybersecurity as a material consideration across its proprietary environmental, social, and governance (ESG) research and ratings.
For example, within the “E,” cyberthreats are relevant to drinking water and wastewater systems that are infrastructure-intensive; in the “S,” lax supply-chain management can hurt data security; and in the “G,” cyberattacks can disrupt business operations, hurt share prices, and threaten management. We have found that cybersecurity is impacting every industry, in part due to accelerated trends in digitization and use of the cloud.
Utilities and energy companies have traditionally emphasized physical security of their assets over cybersecurity, but we expect the trend to shift for a number of reasons. First, critical infrastructure has increasingly been a target for cyber and ransomware attacks. Second, the increased connection of smart devices, coupled with legacy infrastructure that was not built to be connected to the internet, elevates potential vulnerabilities. Third, the Biden administration and Department of Energy recently issued a “100-Day Plan for Cybersecurity” for the electric power sector to identify and deploy new technology to identify and prevent such attacks.
CONTINUED:
READ MORE
24Mar

Phishing Attack-Turned-Wire Fraud Case Sees a Win for the Policyholder

March 24, 2022By 0 comment

In an unusual turn of events, a recent court decision sided with the policyholder, despite specific policy language that probably should have favored the insurer.

The case of Ernst & Haas Mgt. Co. v. Hiscox, Inc isn’t entirely unique. The simple version of the case is an employee at Ernst & Haas gets a BEC phishing email impersonating a superior and the employee wires $200K to a cybercriminal-controlled bank account. Ernst & Haas submit a claim against their cyberinsurance with insurer Hiscox that is denied. And so we find the two in court.

What makes this an interesting case is cyberinsurers are *very* specific about policy verbiage to define what is and isn’t covered. In this case, the two coverage parts in question were:

(1) the Computer Fraud coverage, which covers losses “resulting directly from the use of any computer to fraudulently cause a transfer of that property”; and (2) Funds Transfer Fraud coverage, which covers loss “resulting directly from a [Fraudulent Instruction] to transfer, pay or deliver money” from the policyholder’s bank. Fraudulent Instruction was defined as an “instruction initially received by [the policyholder] which purports to have been transmitted by an Employee but which was in fact fraudulently transmitted by someone else without … the Employee’s knowledge or consent.”

The court sided with Ernst & Haas, despite the specifics of the attack not meeting either clause: The attack wasn’t Computer Fraud (as defined above), as it was a social engineering attack with the employee using the company computer. And it doesn’t appear to be Funds Transfer Fraud (again, as defined above), as the fraudulent instruction wasn’t initially sent to the policyholder.

The takeaway from this case is that insurers don’t always win. However, organizations shouldn’t count on this; it’s one of the reasons such specificity is used when defining the circumstances in which a policy claim will be paid. It’s a far better position to simply put procedures in place that require validating wire transfer requests using a separate medium, as well as have employees with access to perform transfers enroll in Security Awareness Training to maintain a sense of vigilance when interacting daily with such requests.

READ MORE
23Mar

Published Zelenskyy Deepfake Video Demonstrates the Modern War is Online

March 23, 2022By 0 comment

The video uploaded to a hacked Ukrainian news website shows how far the technology has come, how it can be used in social engineering, as well as how the tech still needs to improve.

While much of the headlines today around the Russian invasion of Ukraine focus on the war on the ground and in the air, behind the scenes, a cyberwar is being waged. It began with wiper ransomware attacks on Ukrainian businesses and government agencies, and has culminated so far with a newly released deepfake video of Ukrainian president Zelenskyy asking his troops to lay down their weapons and surrender.

 

At face value, the deepfake looks pretty good, but if one is paying attention, it becomes obvious this isn’t the real president and the video can be seen for what it truly is. The use of cyberattacks – whether based on malware, social engineering, or both – is the new front lines of modern warfare. Yesterday, the White House even put out a statement about how both government and private sector businesses should harden their cyberdefenses immediately in light of possible cyberattacks from Russia.

And because the modern war is online, no business within a targeted country is safe – that’s not FUD; that’s fact. We’ve historically seen cyberattacks executed in both a random spray using millions of email addresses, as well as precision-targeted attacks on specific people within one organization – and everything in between.

The deepfake video also shows how cyberattackers will use the most credible and effective means to get targeted victims of an attack to take the desired action – whether it’s laying down a weapon, clicking a link, or opening at attachment; each one can have devastating results in their own right.

READ MORE
21Mar

Chameleons Phish, Too

March 21, 2022By 0 comment

One of the challenges cyber criminals face is that their scams often have a relatively short shelf-life. Once they’ve been used, the gaff is quickly blown, and the scammers hope to realize their gains before most of the potential marks are wise to the scam.

Researchers at Trustwave describe a way in which criminals are trying to get more mileage out of their coding, specifically by developing “chameleon” phishing pages that adapt to their victims’ expectations and so escape exposure. They’re turning up in scams that seek to harvest credentials from unwary victims.

“Recently, we encountered an interesting phishing webpage that caught our interest because it acts like a chameleon by changing and blending its color based on its environment. In addition, the site adapts its background page and logo depending on user input to trick its victims into giving away their email credentials,” the researchers say. “This custom phishing site acts like a chameleon, by changing and blending its images to camouflage itself. There were four noticeable web elements that changed whenever we tested a crafted email address in the browser:

  • “The page’s background
  • “A blurred logo
  • “The title tab
  • “The capitalized text of the domain from the email address provider.”

The goal, again, is to give the scam legs, to enable it to stay in use longer. Here’s an example of how it changes for Gmail vs Outlook:

Trustwave-chameleon-phishing-website-pagesSource: Trustwave

“Phishing webpages are often taken down in a matter of minutes or become unavailable as soon as information security companies detect them as being malicious,” Trustwave explains. “These templated, or so-called chameleon phishing sites, are used repeatedly by malware authors using the clever tricks we just detailed to fool the user into thinking these pages are real. The phishers can easily customize the template and use other domains to host these scripts, allowing attackers to prey on unsuspecting users over and over again.”

Chameleon phishing sites represent another move toward commodifying malware and scamming techniques. New school security awareness training can help users see through the impostures that make their way through an organization’s filters.

READ MORE
18Mar

[Heads Up] New Evil Ransomware Feature: Disk Wiper if You Don’t Pay

March 18, 2022By 0 comment

There is a new ransomware-as-a-service (RaaS) strain called LokiLocker, researchers at Blackberry warn. The malware uses rare code obfuscation and includes a file wiper component that attackers can deploy if their victims don’t pay. “It shouldn’t be confused with an older ransomware family called Locky, which was notorious in 2016, or LokiBot, which is an infostealer.

“LokiLocker is a relatively new ransomware family targeting English-speaking victims and Windows PCs. The threat was first seen in the wild in mid-August 2021,” researchers from BlackBerry’s Research & Intelligence Team said in a new report.  The BlackBerry researchers estimate that LokiLocker currently has around 30 affiliates.

LokiLocker’s technical capabilities

When first executed on a computer, LokiLocker copies itself as %ProgramData%/winlogon.exe and then sets up persistence by using a scheduled task and a start-up registry entries. The malware has a config file that affiliates can customise and which can be used to instruct the malware to:

  • Display a fake Windows Update screen
  • Kill specific processes and stop specific system services
  • Disable the Windows Task Manager
  • Delete system back-ups and Shadow Volume copies
  • Disable the Windows Error Recovery and Windows Firewall
  • Remove system restore points
  • Empty the Recycle Bin
    Disable Windows Defender
  • Change the message displayed on the user’s login screen

“At the time of writing this, there is no free tool to decrypt files encrypted by LokiLocker,” the BlackBerry researchers said. “If you are already infected with LokiLocker ransomware, the recommendation by most official security authorities such as the FBI is to not pay the ransom.”

There are options to only encrypt the C drive, or to skip the C drive. The malware also has network scanning functionality, which can be used to detect and encrypt network shares, but using this functionality is also configurable.

Finally, LokiLocker contains a wiper module that will attempt to delete files from all local drives and then overwrite the hard drive’s Master Boot Record (MBR), which will leave the system unable to boot into the operating system.

Instead, the user will see a message reading: “You did not pay us, so we deleted all your files.” The wiper functionality will automatically trigger based on a timer that’s set to 30 days but is configurable.

It’s not clear who are the authors of LokiLocker, but the BlackBerry researchers noted that the debugging strings found in the malware are written in English without any major spelling mistakes that are sometimes common with Russian or Chinese malware developers. Instead, there are some potential links to Iran, but these could be planted to throw off malware researchers.

READ MORE
14Mar

Email-Based Vishing Attacks Skyrocket 554% as Phishing, Social Media, and Malware Attacks Are All on the Rise

March 14, 2022By 0 comment

New analysis of attacks in 2021 show massive increases across the board, painting a very concerning picture for this year around cyberattacks of all types.

Mid-year reports of cyberthreats are informative but are temporal in nature, and still require that organizations take a look at longer data trends to understand where to place their focus, efforts, and budget. New data from security vendor PhishLabs in their Quarterly Threat Trends & Intelligence Report, covering all of 2021 provides a better sense of what 2021’s state of cyberattacks looked like, and unveils that the increases in efforts by cybercriminals that we saw throughout the year looks like they’re here to stay for the time-being.

According to the report:

  • Phishing attacks grew 28%
  • Social Media-based threats grew by 103%
  • Attacks with malware nearly tripled
  • Vishing attacks (like the Amazon attack I’ve covered previously) that begin with a phishing email jumped 554%
  • 52% of phishing attacks focused on credential theft
  • 38% of phishing attacks are response-based (e.g., job scams, tech support, BEC)
  • Only 10% focused on malware delivery

The overarching theme here is email is the delivery mechanism of choice – because it works. So, it’s imperative that organizations put layered security measures in place to specifically stop email-based attacks – keeping in mind that with only 10% of attacks focused on malware delivery (and a portion of those using malicious links instead of attachments), some percentage of malicious phishing emails will make their way to the user’s Inbox. This means the user must also participate in your organization’s security strategy, interacting with emails with a sense of vigilance and scrutiny should an email seem unexpected, suspicious, out of the norm, etc. This can be taught, via Security Awareness Training, where users see themselves as a part of the organization’s layered security, helping to stop attacks before they do damage.

READ MORE