Late last week researchers at Symantec warned of a new variant of the Fakebank Android malware family that has an unusual twist. Once installed the malware will intercept mobile calls you attempt to make to your bank, and instead direct them to a scammer impersonating an agent working for the bank. Furthermore, the malware will intercept calls from the *scammers*, and display a fake caller ID to make it appear as though the call is really from the legitimate bank.
Mennes, senior manager for market and security strategy at VASCO offers advice for banks:
“Banks can protect themselves against “vishing” (voice phishing) attacks by educating users, for example explaining that they shouldn’t install apps from unofficial stores, and requesting they review app privileges. However this approach fails if the user makes a mistake. A stronger and better approach to protect against vishing consists of implementing transaction authentication, whereby the user must generate a valid dynamic authentication code in order to confirm a financial transaction. Fraudsters will have trouble convincing the user to generate and provide a valid authentication code for a fraudulent financial transaction, and hence will be stopped before doing any harm.”
Paul Bischoff, privacy advocate at Comparitech.com, advises consumers: “The Fakebank Android malware could soon be a model adopted by malware makers in parts of the world outside South Korea. Even though the attack uses a fairly novel approach to scam users, Android owners can avoid it using the same best practices used to avoid any other type of malware. First, update Android to the latest stable version. The newest release, Oreo, prevents the caller ID from being spoofed by the malware. Avoid downloading apps and files from unknown sources. Don't trust apps from third-party app stores, and be wary of links in web pages and emails. It’s also important to review and limit the permissions of apps you install, and install and run antivirus regularly.”
Privacy/security experts comment on latest Facebook data privacy development
Experts at tech advice site Comparitech.com comments about the Facebook data privacy issues that came to light late last week: Paul Bischoff, privacy advocate at Comparitech.com, says:
“Apps connected to Facebook have long been a threat to users' privacy, and Cambridge Analytica is the very sort of danger that we've been warning people about for months. Facebook has made a substantial effort to improve users' privacy from other Facebook users and non-Facebook users who might be Googling them, adding a long list of settings to its privacy menu. Apps connected to Facebook, however, have their own settings that aren't covered in any of the obvious places.
When you connect an app to Facebook, you are often required to give that app permissions to view information about your profile. This happens any time you log in with Facebook on another site, ranging from shopping sites like Amazon to tools, music and media streaming services, and quizzes and games. One of those permissions grants an app maker access to your friend's list, among other information, which includes all of your friends' basic profile information. This is done without your friends' consent. Conversely, if your friend connects an app to Facebook, that app can extract data from your profile without your knowledge or direct consent.
An app developer can request from 40 different permissions, 38 of which require review by Facebook staff before the app can be connected to the social network. Facebook actually has quite stern rules for developers about how they use account data, and Facebook says Cambridge Analytica broke those rules. To Facebook's credit, it's platform policy states, " Only use friend data (including friends list) in the person’s experience in your app." But more to the point, what enforcement mechanisms other than banishment after the fact does Facebook have to prevent such incidents from happening again? It would seem that Facebook can do little to stem abuse until after the damage has been done, despite its review process.
Facebook users can and should take matters into their own hands. You can disable the option to allow friends' apps to glean information from your account. This setting is in the Apps menu, and not in the privacy menu---most people don't look here and Facebook never instructs users to do so in its "Privacy Checkups". By disabling this feature, you can prevent companies like Cambridge Analytica from getting their hands on your data through friends' apps.
If you believe your data has already been compromised, Facebook offers a little-known resource. In Facebook's Apps menu, click on an app and hit the Edit button. Scroll down through the permissions (which you should also set to a minimum) to find your application ID. You can contact the developer, request your information be deleted, and give them the application ID so they know exactly which information to delete. Whether a company like Cambridge Analytica would actually comply is questionable, though, and the company stated it already deleted Facebook user data from its servers.”
Lee Munson, security researcher at Comparitech.com, says: “The latest big news story surrounding Facebook could have massive implications for both the social networking giant and UK firm Cambridge Analytica, though claims that the latter harvested personal data through an app it allegedly created, rather than via some under the table agreement, could be telling in the final analysis.
If that claim proves to be true, it would pretty well let Facebook off the hook as the company would not have handed over any data itself and Cambridge Analytica would, it seems, have only collected data that is already in the public domain, placed there by the so-called victims of this ‘data breach’ themselves. If that is the case then there may well be a moral argument to settle but, apparently, no legal one, meaning other firms may well see through the fallout and spot a great opportunity for their own marketing and other business needs.
Of course, some people may call foul, especially in light of the incoming General Data Protection Regulation (GDPR) but, fortunately for those concerned, it is still a couple of months away from coming into effect. Once it is in place, firms will have to consider the question of informed consent before using any personal data, whether collected directly or indirectly and the whole landscape will change forever.
Until then, and even afterwards, consumers need to take control of their own privacy and question everything they put online, especially on sites like Facebook whose entire business model is based around its users being the product it markets.”
Juniper cyber expert re: US charges Russia with power plant cyber attacks (impacts, attribution, "Digital Geneva Convention")
In response to reports that the U.S. blames Russia for cyber attacks on energy grid (link to Reuters story), Nick Bilogorskiy, a cybersecurity expert with Juniper Networks, offers comments on attack attribution, potential impacts of such attacks, and considerations for a "Digital Geneva Convention."
Nick Bilogorskiy, cybersecurity strategist at Juniper Networks adds: Considering a Digital Geneva Convention, "I think the world needs a set of rules similar to the Geneva Convention to establish the standards of law for humanitarian treatment in cyberwar. It needs to define the protections of non-combatants in and around the cyber-war zone. Certain technologies or attack scenarios should be restricted, for example DDOS-ing life-support systems. Another example could be causing civilian plane crashes through custom malware or causing explosions in industrial plants.
"In cyberwar, the primary target is information on computer systems. What we need is a new form of the fourth Geneva convention, the one that deals with the treatment of civilians and their protection during wartime. The big challenge here is to understand how to do that in the new reality of non-linear warfare. The nature of armed conflicts changed dramatically, towards hybrid warfare with some cyber and information manipulation components. For example, in Ukraine, Russia has been accused of combining military and nonmilitary means from 'bribery of opposing public officials' to 'long-range artillery, microwaves, radiation, and non-lethal biological weapons.'
"The computer revolution in military affairs has impacted tactics and weapons. Terrorist and criminal groups now have abilities that used to be reserved by nation states. Cyber attacks have been used in a broader strategy of information warfare. Some examples are denial of service attacks, hacker attacks, espionage malware, dissemination of disinformation and propaganda, social media election manipulation, website or twitter defacements, persecution of cyber-dissidents and other active measures.
"Interfering with communication system computers is a part of standard military tactics. But hacking attacks that cause a direct loss of life should be considered war crimes.
"Moreover, as internet connectivity is quickly becoming a basic human right and a critical need, we could declare certain people who do humanitarian work, or who repair and configure internet connectivity as "protected persons", in the context of cyberwarfare, where violating the protection of "protected persons" would be a war crime.
"Crafting Digital Geneva Conventions should be done by international coalition. Cybersecurity experts from private sector and the governments should work together on drafting it. Then governments of different countries would need to ratify the conventions."
Impacts critical infrastructure attacks:
"In the modern world, cyberwarfare can be used by a foreign entity to launch a devastating attack against the United States without a single bomb, or missile.
"Nuclear power plants, water and electric systems are the heart and internal organs of our country’s body. While they were rumored to be attacked in the past, such as in the "Nuclear17" incident, such cases were kept mostly out of the news on need-to-know basis.
"It is now being announced that Russian hackers penetrated US plants and yesterday, the Russian government was sanctioned for doing so. We should be very concerned about these attacks. For one, they could cause prolonged electrical outages and blackouts as our electrical grid infrastructure lacks sufficient redundancy to sustain these attacks. In the worst case scenario, cyberattacks on nuclear plants could cause them to explode and cost human lives.
"A recent example of this is the August 2017 cyberattack on Schneider's Triconex controllers at Saudi Arabia's plants, which was intended to cause an explosion that would have killed people and was only prevented by an error in the attack's computer code."
Nick Bilogorskiysays: "Generally, cyber attacks are notoriously difficult to attribute because they often use proxies, third parties and fake artifacts in malware code to obfuscate their true origin. It is easier to understand who attacked you than it is to be able to prove it. So, officials have been reluctant in the past to call out such activity. In this case, the Department of Homeland Security and the FBI publicly condemned Russian government cyber actors, which to me means that they found significant evidence of Russian involvement.
"It is not publicly shared what this evidence is. At times in the past, the US has learned about foreign spying through something the intelligence community calls fourth-party collection – when our allies penetrate the attackers and "watch over their shoulder" as the attacks are performed and gather evidence of the attacks which they share with the US."
Nick can answer questions quickly by email - please let us know if we might assist, thanks.
Cynerio CEO Comments on HIMSS report:
The 2018 HIMSS Cybersecurity Survey, of 239 health information security professionals, was recently released and provides insight into what healthcare organizations are doing to protect their information and assets, in light of increasing cyber-attacks and compromises impacting the healthcare and public health sector. Data security expert Leon Lerman, co-founder and CEO of Cynerio, commented on the findings:
“More than two-thirds of healthcare leaders admitted to facing a significant security incident last year, which strongly shows us that attackers continue to find ways into hospital networks and it's inevitable for the initial infection to happen. Organizations need to make sure they have the right controls in place to detect the attack on time and stop the spread before a significant damage is done. This includes adding visibility, detection and protection capabilities to areas to which the providers are typically blind to - like connected medical devices & their ecosystem which attackers use as a gateway to the hospital's sensitive data.
From the initial point of compromise report - we can see that connected medical devices are not only used as a lateral movement pivot point as described in most of the known attacks related to medical devices (as Medjack) but could also be used as an initial infection point, this should further raise the importance of medical device security and it reflects in the "priorities for next year" survey in which medical device security is among the most prioritized issues.
The increased resources to address cybersecurity needs is a step in the right direction, as one of the main reasons healthcare is among the top targeted industries by hackers is its lax security posture which hackers leverage to put their hands on sensitive patient data, which is still one of the most profitable assets on the black market. Providers will need to leverage more resources to deal with the growing number of security risks, which include not only the traditional infosec risks but also healthcare specific emerging risks - like the risk associated with the increased introduction of connected medical devices."
Cynerio is a new start-up based near Tel Aviv that protects the sensitive data at one of the largest Israeli healthcare organizations, Rambam Hospital (news release is below). Cynerio combines device behavior learning with medical workflow analysis to provide full visibility into medical device behavior and activity on the network, detect anomalies and stop the threat to ensure patient safety and data protection.