UK Hit With 30 Million Cyber Attacks In Just 3 Months*:
- Almost 30 million cyberattacks were carried out in the United Kingdom in the fourth quarter of last year.
- This is according to a new report by Kaspersky Lab, based on an analysis of threats between October and December 2018 in the country.
- The report claims that browser-based attacks were the primary method from spreading malicious programs in the country.
- There were more than 12 million detected threats.
- Out of all Kaspersky users that were attacked by malicious software, 16 per cent were web-borne threats.
- Local threats were more prevalent, Kaspersky adds, saying it thwarted more than 17.5 million such attacks in Q4. Servers had hosted 11.2 million incidents.
- Kaspersky says that the most frequent tactic to carry out a browser-borne attack is to implement an infection that exploits vulnerabilities and their plug-ins.
- The second most frequent tactic is social engineering.
- 2019 is going to be a tough year for cybersecurity professionals and individuals looking to stay safe online.
- Experts are saying crime will increase this year, cloud will present a huge cybersecurity challenge, and we are yet to feel the consequences of GDPR which will undoubtedly be painful for some.
- Shadow IT, IoT and DDoS will continue to give headaches to cybersecurity pros, and unless these problems make it to the boardroom, they’re only going to worsen.
*Source: ITPro Portal, January 22, 2019
DHS Issues Security Alert About Recent DNS Hijacking Attacks*:
- The US Department of Homeland Security (DHS) has published today an "emergency directive" that contains guidance in regards to a recent report detailing a wave of DNS hijacking incidents perpetrated out of Iran.
- The emergency directive [1, 2] orders government agencies to audit DNS records for unauthorized edits, change passwords, and enable multi-factor authentication for all accounts through which DNS records can be managed.
- The DHS documents also urges government IT personnel to monitor Certificate Transparency (CT) logs for newly-issued TLS certificates that have been issued for government domains, but which have not been requested by government workers (a sign that a malicious actor has hijacked a government domain's DNS records, and is now requesting TLS certificates in its).
- The emergency directive comes after last week, the DHS issued an alert about ongoing DNS hijacking attacks through its US-CERT division.
- The DHS US-CERT alert was based on a report published last week by US cyber-security firm FireEye.
- The now infamous report detailed a coordinated hacking campaign during which a cyber-espionage group believed to operate out of Iran had manipulated DNS records for the domains of private companies and government agencies.
- The purpose of these DNS hijacks was to redirect web traffic meant for companies and agencies' internal email servers towards malicious clones, where the Iranian hackers would record login credentials.
- According to Fireye, the supposed Iranian group changed DNS records for victim companies/agencies after hacking into web hosting or domain registrar accounts, where they modified the DNS records of official websites, pointing web traffic towards their malicious servers, and later redirecting the legitimate traffic to the victim's legitimate site after collecting login details.
- According to a Cyberscoop report from earlier today, the DHS is currently aware of at least six civilian agency domains that have been impacted by DNS hijacking attacks.
- Now, DHS officials want to know the impact of this campaign on all US government agencies, and are giving agencies 10 business days (two weeks) to complete a four-step action plan detailed in the directive.
*Source: ZD Net, January 22, 2019
Americans Are So Jaded About Identity Theft, Cyber Crime*:
- Most Americans now believe it's only a matter of time before their identity is stolen but aren't taking the necessary steps to prevent that from happening, a new survey from SAP security solutions provider ERP Maestro reveals.
- Seventy-six percent of the 2,000 Americans ERP Maestro polled in December said they believe it's "inevitable" they will fall victim to identity theft and cybercrime.
- Yet less than half of respondents take precautions such as regularly reviewing their credit reports, keeping sensitive documents in a secret place, regularly changing their passwords, using a VPN when connected to public Wi-Fi networks, or paying for a credit monitoring service.
- Meanwhile, half of respondents or more take other preventative actions such as looking at their bank statements for fraudulent credit and debit charges, picking complex passwords, using firewalls and anti-virus software at home, and shredding their mail and other documents.
- On a more positive note, 72 percent of respondents said high profile breaches such as last year's Facebook-Cambridge Analytica scandal have caused them to change their behaviour.
- The recently disclosed Collection #1 breach, for instance, offers a good reminder to take precautions like enabling two-factor authentication and signing up for a password manager.
*Source: PC Mag, January 22, 2019
Enterprises Must Be Prepared For Mega Cyber Attacks: Check Point CEO*:
- The world is on the brink of facing mega cyber attacks and the enterprises need to be prepared more than ever before, a top executive of Israel-based cybersecurity solution provider Check Point Software Technologies said in Bangkok on Tuesday.
- Cyber attacks and data fraud or theft were listed in the top five of the World Economic Forum's 14th edition of "Global Risks Report 2019".
- According to him, most companies focus particularly on detecting the fraud.
- By the time a cyber attack is detected, which, according to the industry standard, is 5-6 months, the damage is already done.
- Most enterprises today are generally protected for only Gen 2 and Gen 3 viruses.
- Check Point Software Technologies also unveiled "Maestro", an industry-first hyperscale network security solution.
- "Maestro" is a new architecture that enables businesses of any size enjoy the power of flexible Cloud-level security platforms and seamlessly expand their existing security gateways to hyperscale capacity.
- Check Point Software Technologies also introduced "Nano Security" -- Gen VI of cyber security which can be embedded on every device, web or Cloud service, applications and network, to protect the hyper-connected, hyperscale world.
- The three-day "CPX360" event is aimed at addressing most-pressing cyber security challenges and helping organisations of all sizes develop strategies to prevent cyber threats and sophisticated hackers impacting their business.
*Source: The News Minute, January 22, 2019
BlackRock’s Data Leak Hits 20,000 Advisers*:
- A data leak revealed last week at BlackRock exposed names, e-mail addresses and other information of about 20,000 advisers who are clients of the asset manager, including 12,000 at LPL Financial, the largest US independent broker dealer.
- BlackRock inadvertently posted a small number of sales-related documents, which were up for a short period of time, and promptly removed
- The information related to a very limited number of wealth management platforms impacting approximately 20,000 independent advisers in the US.
- LPL informed advisers over the weekend that BlackRock posted details about some of them on its website.
- The leak affected advisers who do business with BlackRock’s iShares exchange-traded funds (ETF) unit.
- BlackRock and LPL are the latest financial firms to be ensnared in a data issue affecting a key part of their business.
- ETF sales are crucial to BlackRock, which runs the world’s largest ETF business.
- Such products account for one third of the approximately $6-trillion in assets BlackRock oversees.
- Registered financial advisers who work with brokerages such as LPL are a key channel for getting ETFs into individual investor portfolios.
- BlackRock didn’t identify the other platforms affected.
- The company said it “recognises the seriousness of the error and we deeply regret that it occurred. We always seek to treat the information entrusted to us with great care.”
- Bloomberg News reported on Friday that BlackRock accidentally released information on thousands of financial advisers on its website.
- The data appeared in several spreadsheets, some of which included designations such as “club level”.
- LPL categorises advisers with such tiers, including a so-called “Chairman’s Club” for some top performers.
- In its statement, BlackRock said the disclosures resulted from human error.
- Sales-related information for an internal customer relationship management-related system was inadvertently posted on iShares.com, the company said.
- BlackRock said it notified affected firms about the leak, and that after performing reviews of its website, the company is confident it understands the “limited scope and implications” of the issue.
- No information about financial advisers’ end clients was included. And no sensitive personal or financial information about advisers or anyone else was included. Additionally, there were no ticker- or portfolio-level holdings information disclosed.
- LPL serves more than 16,000 financial advisers with functions including trading and compliance.
- In a separate incident in November, LPL said that it was investigating a data breach at a vendor firm, Capital Forensics, that put investors’ personal information at risk.
- Capital Forensics confirmed at the time that the attack exposed data from a “small number” of its clients.
- Keeping information secure is an increasingly important issue at financial firms, forcing them to brace against both cyber-attacks and human error.
*Source: Business Live, January 22, 2019
Google Fined 50 Million Euros For Violating GDPR*:
- When the European Union’s (EU's) General Data Protection Regulation (GDPR, discussed in a December 2017 client alert) took effect May 25, 2018, the French data protection regulator, Commission nationale de l'informatique et des libertés (CNIL), which translates to National Information Rights Commission, began investigating Google’s data privacy practices.
- Now, the CNIL has imposed on Google a €50 million fine (about $57 million), the largest to date under the GDPR, for lack of transparency, inadequate information, and lack of valid consent regarding its personalized ads.
- One focus of the GDPR is transparency: it requires that companies clearly explain how data are collected and used.
- Under the GDPR, companies must also have a lawful basis for processing data, such as user consent.
- CNIL said that Google’s consent mechanisms were too broad and did not adequately clarify to what users were consenting.
- Instead, users were largely unaware of what data they agreed to share or how Google used the data.
- For example, Google’s default setting is to display personalized ads to users.
- Although this setting could be changed, it lacks clear affirmative consent from a user.
- Further, Google would not allow users to create an account until they had agreed to its terms and conditions in full.
- Although the fine against Google is significant, it is far lower than the maximum penalty allowed under the GDPR, which is 4% of annual worldwide turnover.
- For Google, that would amount to more than $4 billion.
- However, being fined under the GDPR can bring other financial repercussions as a result of damage to a company's reputation.
- Consumers might be startled to learn that a company misappropriates their data, and they might cease using that company’s services.
- Few fines have been levied under the GDPR since it took effect, but CNIL’s fine against Google signifies EU member states’ seriousness about enforcing the regulation.
- GDPR enforcement actions that have not resulted in fines have imposed requirements on companies to become GDPR-compliant or cease non-compliant activity, which also brings other significant costs.
*Source: Lexology, January 25, 2019