The scariest security horror stories of 2019


Cloud Pro

27 Dec, 2019

In what has become a regular feature here at IT Pro, we’re back again to take a look at some of the year’s most dramatic security stories, many of which were scarily similar to those we saw in 2018.

What’s clear is that businesses continue to face the same old threats, although you’ll see from our picks that there are plenty of examples of attackers using ingenious methods to breach systems.

Here’s our pick of 2019’s scariest security stories.

VFEmail’s nightmare year

The first entry on our list, and one of the earliest of 2019, involved an attack on US email provider VFEmail. In what was described as a catastrophic breach on VFEmail’s systems in February, the company’s infrastructure had been virtually wiped out overnight, with every disk on every server, including its backups, being destroyed.

Perhaps the most chilling part of the story is that there appeared to be no apparent motive behind the attack and that VFEmail may have been targetted randomly. No ransom was ever offered in exchange for the data, nor was there any evidence that the attacker was even interested in stealing the data.

Despite the loss, VFEmail remained committed to staying operational, although the company would come under repeated attack throughout the rest of 2019. Customers would face phishing attacks over the following few months, only for the main service to be hit by three consecutive DDoS attacks in late October and early November. To date, work is still ongoing to restore full functionality to its services.

NASA narrowly averts catastrophe

Next up we have one of our most widely read stories from the year, and an example of how the miss-handling of relatively new hardware can pose a serious threat to legacy systems. In June, NASA revealed that a Raspberry Pi device had been blamed for a 2018 data breach that saw the theft of 500MB of mission system data.

An employee was said to have brought a Raspberry Pi into work without permission and connected it to NASA’s Jet Propulsion Laboratory network, which a hacker later targetted to gain access to adjoining systems.

The incident sparked a wider investigation into the organisation’s systems and networks, which found myriad flaws in its database management techniques and methods used to track devices and applications using internal networks. It was ruled that the JPL network was, in fact, incapable of detecting whether an unauthorised or unsecured device was attached to its network.

The report issued ten urgent recommendations for fixing NASA systems, all but one of which were implemented immediately. NASA was fortunate in this instance, as the relatively minor security incident revealed far greater problems plaguing its systems, which were mercifully fixed before disaster could strike.

Hackers at the door

For our next entry, we fast forward to November, where a vulnerability in Amazon’s Ring doorbells was discovered that could allow hackers to intercept their owner’s Wi-Fi passwords.

Researchers at Bitdefender discovered that by accessing a Wi-Fi network’s credentials, criminals could launch much larger and far more sophisticated attacks against a household. This was possible as the device stored passwords in plain text which were then communicated between a smartphone app and the doorbell using HTTP rather than the far more secure HTTPS.

The news prompted further calls for tougher legislation around the manufacture of connected devices, particularly when they are destined for the home.

King’s Cross, we barely recognise you

In what will likely set a precedent for the use of cutting-edge technology in public spaces, August saw an investigation by the Information Commissioner’s Office into the use of facial recognition technology at King’s Cross.

Private owners of the 67-acre site, which houses 50 buildings and is home to major companies such as Google, said they had introduced facial recognition technology alongside their CCTV system to improve the on-site public experience. However, both campaign groups and the Mayor of London Sadiq Khan criticised the decision as it was unclear precisely how the technology was being used. It also raised serious concerns about the capturing of personal data without consent.

The technology was eventually scrapped at the site, however, the owners have not ruled out the possibility of the technology returning at a later date.

The Collection Folders

What’s unusual about 2019 is that it only took 17 days before we saw what would be one of the largest data leaks of the year. Between late January and early February, a group of researchers determined that around 600GB worth of personal data had been leaked and was circulating online in caches known as “Collection” folders.

The initial discovery of the Collection #1 folder unearthed 773 million unique email addresses and 22 million passwords, figures that were then dwarfed when Collection folders 2 through 5 were then found. In total, it’s believed that around 2.2 billion emails and passwords were in the complete cache, now being shared around hacking forums.

It’s also believed that the data is an amalgamation of various leaks sourced from high profile data breaches, such as the enormous Yahoo hacks of 2013 and 2014. Despite the age of the data, security experts believe that criminals have relied on a lax approach to password hygiene and that many of the email and password pairs could still be exploited.

Citrix vs IRIDIUM

In March, Citrix revealed that it was working with the FBI to look into a breach on its systems after a number of documents had been reported stolen. Initial reports were light on detail, mainly as only very brief statements were issued by the company, and it would only be through the release of a report by cyber security firm Resecurity that we’d learn that around 6TB of data had been swiped in the raid.

The company had a number of high-profile customers at the time, including large corporations and both the US military and government.

Resecurity had traced the attack back to an Iranian hacking group known as IRIDIUM, which had bombarded a number of Citrix accounts with commonly used passwords, known as password spraying, before gaining a foothold. After this, the group was then able to methodically bypass each additional security layer, including two-factor authentication.

The IRIDIUM group had reportedly targetted hundreds of thousands of people at more than 200 companies during the previous two years leading up to the hack on Citrix, according to figures provided by Microsoft.

Microsoft: “We told you so…”

One of our most-read stories of the year actually surfaced at the beginning of December.

According to Microsoft threat researchers, 44 million of its customers were still using passwords that had been compromised in the past by large scale data breaches. This included both general users of Microsoft Service Accounts, as well as Azure Active Directory accounts owned by businesses.

Following a check on a database of three billion credentials sourced from public accounts and law enforcement, it was found that the 44 million customers were using the same compromised passwords across a number of online services.

The discovery forced Microsoft to issue a password reset to all affected customers, including an alert to business admins to reset user credentials. The company also urged customers to turn on multi-factor authentication.

Despite the shocking figure, the news potentially served as a great PR for Microsoft – the company has long been attempting to move customers away from passwords onto more secure passwordless authentication. The company revealed to IT Pro in November that it had managed to move 100 million customers to biometric authentication, although it would take at least three more years to move the remaining 700 million users.

XSS the most widely-used attack method of 2019


Keumars Afifi-Sabet

23 Dec, 2019

The most widely-used cyber attack method used to breach large companies in 2019 was cross-site scripting (XSS), according to research. 

The hacking technique, in which cyber criminals inject malicious scripts into trusted websites, was used in 39% of cyber incidents this year.

This was followed by SQL injection and Fuzzing, which were used in 14% and 8% of incidents respectively. Among other widely-used methods are information gathering, and business logic, although both were used in less than 7% of incidents.

With 75% of large companies targeted over the last 12 months, the report by Precise Security also revealed the key motivation behind cyber crime has been the opportunity for hackers to learn.

Almost 60% of hackers conducted cyber attacks in 2019 due to the fact it presents a challenge. Other prominent reasons for hacking a company’s systems include to test the security team’s responsiveness, and to win the minimum bug bounty offered. ‘Recognition’ ranked sixth in the list of motivations, and was cited by just 25% of hackers. Bizarrely, 40% also said that they preferred to target companies that they liked.

Digging into industry-specific insights, additional research published this month also revealed the most prominent attack method faced by sectors within the UK economy.

The most prevalent hacking technique in the business, finance and legal sectors, for example, was macro malware embedded into documents, according to statistics compiled by Specops Software. 

Retail and hospitality firms, meanwhile, suffered mostly from burrowing malware, present in 51% of attacks, as did governmental organisations, registering 37% of incidents.

The healthcare industry was susceptible mostly to man-in-the-middle attacks, in which communications between two computer systems are intercepted by a third-party. 

Distributed denial of service (DDoS) attacks were the most common form of attack faced by the technical services industry, with 58% of incidents using this method.

As for how these attacks are conducted specifically, the Precise Security report showed that 72% of platforms used as a springboard for cyber crime are websites. WordPress, for example, is a prime target due to the massive userbase, with 90% of hacked CMS sites in 2018, for instance, powered by the blogging platform.

Application programme interfaces (APIs) were the second-most targeted platforms in 2019, being at the heart of 6.8% of incidents, with statistics showing Android smartphones are usually involved in such attacks.

How to improve cloud management through a cloud resource tagging policy

Good cloud governance relies on good tag hygiene: a disciplined, well-designed approach to tagging.

In the multi-cloud environments that enterprises are embracing, implementing enterprise-grade cloud governance platforms is the key to successful management of highly complex pricing structures and evolving cloud services. Using automation to maintain good tag hygiene will support critical governance initiatives for cloud security, cloud cost reporting, and cloud cost optimisation.

Applying a consistent set of tags—specifically for governance—globally across all of your resources will add metadata specific to your organisation. This can help improve categorisation of each of your cloud resources for cost allocation, reporting, chargeback and showback, cost optimisation, compliance, and security. Once implemented, a robust tagging policy will enable your organisation to optimise costs across all cloud providers and guarantee that your company has access to all of the cloud services it requires.

Understand tagging policy

In the absence of a tagging policy, it’s all too common for individuals or teams to use variations of the same tag. When this happens, accurate reporting becomes extremely difficult. To avoid these complications, and to ensure that tags are used effectively for governance and reporting purposes, having a tagging policy is absolutely critical.

A well-defined tagging policy incorporates:

  • Global tags, including how they will be applied consistently by all applications and teams in the organisation. The first table below provides recommended global tags; use this as a starting point from which your organisation can customise with specific tags and naming conventions.
  • Each cloud provider’s tags. As each cloud provider has different limits and restrictions on tags, your tagging policy must accommodate these parameters. The second table below identifies tags for AWS, Azure, and Google Cloud (GCP).
  • Guidelines for how individual teams or applications may add additional tags for their specific needs.
  • Consistent naming conventions, including spacing, uppercase/lowercase conventions, and spacing.

Automation is key to implementing tags. For example, if you are using a cloud management platform for provisioning, all templates should be set up to attach the appropriate tags.

Implement and monitor your tagging policy

Create a staged rollout process for your tagging policy. This will help ensure effective implementation and monitoring, aided by buy-in from all relevant parties.

  • Stage 1: Define the tagging policy: Have your cloud governance team lead a process to define a global tagging policy. The team should work with key stakeholders to get feedback and buy-in. Once this team specifies the required global tags, development teams and resource owners should be responsible for adding the global tags. Central IT may assist with scripts and tools
     
  • Stage 2: Reporting: The cloud governance team creates reports that show the current state; track improvements in tag coverage; and identify the level of coverage for global tags, by team or group. Distribute these reports weekly
     
  • Stage 3: Alerting: Your cloud governance team sets up daily automated alert emails about resources that are missing the required tags. (An organisation may choose to stop at Stage 3 if it has achieved the desired adoption of global tags)
     
  • Stage 4 (optional): Alerting with automated termination or escalation: The cloud governance and central IT teams should also set up automated “tag checking” to alert on missing tags and enforce the use of tags. Alerts on untagged resources specify a defined window (e.g. 24 hours) to tag resources. Enforcement could include sending an escalation to managers or, in some cases, adding default tags or even terminating instances that aren’t tagged correctly (only for non-production workloads)

https://www.cybersecuritycloudexpo.com/wp-content/uploads/2018/09/cyber-security-world-series-1.pngInterested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Google services knocked offline after fibre cables cut


Bobby Hellard

20 Dec, 2019

Fibre optic cables in two separate areas were cut at the same time on Thursday morning, leaving parts of Eastern Europe, Iran and Turkey without internet access.

The severing of cables belonging to a third-party telecommunications provider resulted in a loss of connectivity for Google between Bulgaria and the rest of its production network. The issue lasted for two hours and took down Google’s services in those regions.

Sadjad Bonabi, a director at Iran’s Communications Infrastructure Company, told the BBC that two cuts happened at once: one between Iran and Bucharest and the other on a line to Munich.

Multiple cuts to fibre optic cables happening at the same time is a very rare occurrence, according to Google, which also said it has now launched an investigation into the incident.

“The issue with multiple simultaneous fibre cuts affecting traffic routed through Google’s network in Bulgaria has been resolved for all affected users as of 2019-12-19 2:36 US/Pacific,” Google Cloud’s status dashboard said. “Google services were not reachable for users who were accessing these Google services primarily through our Bulgaria network point of presence.”

“We have identified the root cause and routed affected traffic around the impacted parts of our network. We are conducting an internal investigation and will provide a detailed public incident summary at a later date.”

The UK has also experienced a number of incidents involving cable theft or damage throughout 2019. In August and September a spate of attacks on broadband cabling in Cambridgeshire left 4,000 homes and businesses without internet access, with 500 metres of copper wiring stolen as a result.

Amazon criticises New York Times’ reporting of open source theft concerns

AWS vice president Andi Gutmans has penned a scathing response to an article highlighting concerns that Amazon is stealing the innovations of startups.

New York Times journalist Daisuke Wakabayashi wrote an article titled Prime Leverage: How Amazon Wields Power in the Technology World in which he highlighted several cases where Amazon is said to have "strip-mined" (as startups have coined it) open source technology.

The main example is of Amsterdam-based startup Elastic that was rapidly expanding and whose product, ElasticSearch, was already available for AWS. In 2015, Amazon said it was going to copy the freely-available ElasticSearch and make it a paid service.

Amazon began making more cash than Elastic by offering deeper integration with its own products. Elastic responded by making premium features which Amazon then reportedly copied and made free.

Elastic is now suing Amazon for violating its trademark by calling their own product ElasticSearch. In the complaint, Elastic stated that Amazon "misleads customers". The court case is still pending.

Wakabayashi goes on to highlight other cases where Amazon is accused of the aforementioned strip-mining. One is MongoDB, which Amazon is said to have copied the “look-and-feel” of an older version. Furthermore, when AWS customers search for "MongoDB" from the management console, they are provided with Amazon's own alternative which states that it's “compatible with MongoDB.”

During a dinner which MongoDB's chief executive Dev Ittycheria had with the heads of six other tech firms, the conversation reportedly switched to whether to publicly accuse Amazon of behaving like a monopoly.

Wakabayashi even sourced comments from people who actively decided against making their products open source due to fear that Amazon would copy them.

"The journalist largely ignores the many positive comments he got from partners because it’s not as salacious copy for him," Gutmans said in a blog post.

However, not all of the cases highlighted by Wakabayashi were negative. Databricks' chief executive Ali Ghodsi said that AWS salespeople lifted the sales of his company's products and that he doesn't "see them using shenanigans to stop us."

Gutmans insisted that Amazon "contributes mightily to open source projects" and that "AWS has not copied anybody’s software or services."

It must be reiterated that Elastic is not suing Amazon for copying its product as it was open source. Executives from MongoDB, on the other hand, suggested to SiliconAngle earlier this year that they believe Amazon's DocumentDB is a copy of their product that's “based on MongoDB code from two years ago.”

Rightly or wrongly, it's clear there are serious concerns within the industry about how Amazon is wielding its power. Reaching out to understand why executives from these companies hold such concerns would be a more productive approach than criticising journalists for reporting them.

https://www.cybersecuritycloudexpo.com/wp-content/uploads/2018/09/cyber-security-world-series-1.pngInterested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Facebook apps dominated this decade’s mobile market


Nicole Kobie

18 Dec, 2019

The most downloaded apps of the last decade have been revealed – and the top four are all now owned by Facebook.

According to the analysts at App Annie, the most downloaded apps globally from 2010 until now are Facebook, Messenger, WhatsApp and Instagram. WhatsApp was bought by Facebook in 2014 for $19 billion, while Instagram was bought in 2012 for $1 billion.

“Looking at the most downloaded apps of the decade, Facebook has dominated the mobile space representing the four most downloaded apps of the decade with Facebook, Facebook Messenger, WhatsApp and Instagram,” said App Annie market insight manager Adithya Venkatraman in a blog post. “Communication and social media apps are consumer favorites, accounting for seven of the top 10 apps by downloads this decade.”

The figures may add fuel to the fire for regulators, amid calls to break up Facebook’s dominance in the market — or at least stop it hoovering up more rival apps. Indeed, Facebook is being investigated by US authorities over antitrust concerns, with reports suggesting the Federal Trade Commission could use an injunction to block the company from moving forward with plans to more closely link its various messaging apps, as such code sharing would make it difficult to break up the company in the future, should it be deemed necessary by regulators.

The Facebook apps were followed in the rankings by Snapchat, Skype and TikTok. The latter was one of two apps in the top ten, along with the UC Browser by Alibaba, that were released by Chinese companies instead of American ones. TikTok’s inclusion in the list is particularly impressive given that it was only released in 2016.

While Facebook has the most downloads, it doesn’t necessarily make the most money in the mobile market. According to App Annie, the top apps by consumer spend over the last decade were Netflix, Tinder and Pandora. Still, Facebook has increased its revenue from mobile which now makes up 94% of the company’s advertising revenue, according to the company’s third-quarter results. That’s a far cry from 2012, just after the company went public, when investors worried about the company’s inability to make money from mobile users.

While Facebook has found success with advertising on Instagram, it’s still looking for ways to earn revenue from WhatsApp, in particular by charging businesses that use the app to contact customers.

Facebook aside, the App Annie stats highlighted that the past decade has been all about mobile, and that looks set to continue. “This decade has been a time of remarkable growth for the mobile economy,” added Venkatraman. “With a 5% increase in downloads, and 15% growth in consumer spend… year-over-year in 2019 this looks set to continue in 2020.”

Google Cloud partners with Palo Alto, McAfee, and others to bolster security

With an aim to strengthen its security and attract more number of enterprise customers to its cloud platform and services, Google Cloud has announced its partnership with Palo Alto Networks, Qualys, McAfee, Fortinet and ForgeRock.

Google Cloud and Palo Alto Networks will be jointly working on the development of a new multi-cloud security framework for Anthos, which is Google Cloud’s hybrid platform, and multi-cloud Kubernetes deployments. According to the companies, the framework will make use of Palo Alto Networks’ Prisma Cloud security platform and its VM-Series virtual firewalls which will focus on helping customers of Google Cloud deploy a common compliance and runtime security posture across all of their workloads.

Along with this latest security framework, both Google Cloud and Palo Alto Networks have also announced a new threat intelligence integration that will be merging Google Cloud’s Event Threat Detection product with Palo Alto Networks AutoFocus threat intelligence service. The companies also said that integrating signals based on Google’s own internal sources with additional visibility from Palo Alto Networks footprint of network, endpoint, and cloud intelligence sources will help joint customers proactively identify and stop threats. In the first half of 2020, the companies are planning to launch both the new security framework and threat intelligence integration.

Google Cloud’s new partnership with McAfee will be merging that vendor’s endpoint security technology for Linux and Windows workloads along with its Mvision Cloud platform for container security, on Google Cloud infrastructure.

In another extended integration with Google Cloud, Fortinet announced a reference architecture for customers in order to connect distributed branches to Google Cloud Platform with Fortinet’s SD-WAN. According to Fortinet, its FortiCWP product will soon be integrated with GCP’s Cloud Security Command Center to offer additional workload protection and visibility.

Google Cloud’s partnership with Qualys will make its cloud-based security and compliance products available via the Google Cloud Marketplace. The latest integration will include the Qualys Cloud Agent — a lightweight scanner that according to the vendor will enable two-second global visibility. With Qualys on Google Cloud, vulnerability findings are available in the GCP Security Command Center on its own. Similar findings are also present centrally in the Qualys Cloud Platform that allows security teams to track as well as report across the entire enterprise.

ForgeRock too has joined the Google Cloud Partner Advantage Program and has said that it is the first premier-level identity management vendor in the program. ForgeRock announced the launch of its Cloud platform-as-a-service which is built on GCP that includes a software-as-a-service for embedding modern identity capabilities into apps.

https://www.cybersecuritycloudexpo.com/wp-content/uploads/2018/09/cyber-security-world-series-1.pngInterested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Intel spends $2bn on Habana Labs in AI data centre push


Nicole Kobie

17 Dec, 2019

Intel is pushing further into artificial intelligence (AI) with the $2 billion (£1.5bn) acquisition of Habana Labs, an Israeli developer of deep-learning hardware.

In 2016, Intel bought Habana Labs competitor Nervana for $400 million, shortly afterwards scooping up computer-vision chip startup Movidius. In 2015, Intel bought reprogrammable chip maker Altera in 2015 for $16 billion. As of 2017, Intel said it had invested more than $1 billion in AI companies.

And it’s starting to pay off, as last month Intel launched a pair of chips designed specifically for artificial intelligence in cloud environments, focused on training and inference using Nervana technology, as well as a computer-vision processing unit.

Habana Labs builds AI accelerators, which are a type of processor designed specifically for AI applications, such as machine learning or computer vision — they’re what a GPU is for graphics, but for AI.

Habana will remain independent from Intel with the current management team remaining in place, and continue to be based out of Israel.

The acquisition isn’t a surprise; Intel had previously invested in the company via its Intel Capital division. “We have been fortunate to get to know and collaborate with Intel given its investment in Habana, and we’re thrilled to be officially joining the team,” said David Dahan, CEO of Habana.

Habana Labs has two processor lines for cloud computing: the Gaudi and the Goya. The former is a processor designed for training AI systems. It’s not yet available, but company data claims it beats Nvidia’s equivalent on industry benchmarks, offers a 4x increase in throughput versus GPU-based systems, and Intel says the technology is already being trialled by some hyperscale customers.

The latter, the Goya, was released last year, and specialises in AI inference, when a trained system uses what it already knows about the world to make decisions, predictions, or otherwise analyse data, making them useful for the Internet of Things, for example.

“This acquisition advances our AI strategy, which is to provide customers with solutions to fit every performance need – from the intelligent edge to the data center,” says Navin Shenoy, executive vice president and general manager of the Data Platforms Group at Intel, in a statement. “More specifically, Habana turbo-charges our AI offerings for the data center with a high-performance training processor family and a standards-based programming environment to address evolving AI workloads.”

Google Cloud gains fresh security partners and tools


Nicole Kobie

17 Dec, 2019

Google has unveiled new security tools and partnerships for its Cloud. 

That includes a new endpoint security management solution that works with McAfee, Palo Alto, and Qualys, as well as a partnership with McAfee to add its MVISION cloud-based system for security, threat prevention, and compliance for container workloads. 

“Increasingly, customers are choosing to move critical workloads and applications to the cloud because of the strong security protections it can provide,” said Anand Ramanathan, vice president of product and marketing at McAfee. “As more of these enterprises choose to leverage Google Cloud’s hyperscale capabilities, we’re excited to integrate our core capabilities in VM and container security to ensure Google Cloud customers can benefit from the highest levels of data protection and threat prevention.”

Google is also adding Citrix Workspace for Google Cloud, which integrates with G Suite for sign-on and authentication, as well as analytics and web filtering.

“Also, users will be able to seamlessly authenticate using G Suite credentials early next year to provide simple, secure access to the apps and information they need to do their jobs anywhere, on any device,” note Kevin Ichhpurani, vice-president of global ecosystem at Google Cloud, and Sunil Potti, vice-president for engineering at Google Cloud Security, in a blog post. 

The announcement also includes partnerships with SIEM provider Exabeam, digital identity vendor ForgeRock, and endpoint security firm Tanium, as well as extensions of existing support for Fortinet and Palo Alto. The latter includes a joint-developed security framework for multi-cloud environments with Anthos, as well as threat detection tools.

By partnering with Google Cloud to deliver a jointly developed security framework for multi-cloud environments and the new integration for threat intelligence, we will simplify how customers  secure their cloud native environments, whether they are single or multi-cloud,” said Rahul Sood, Senior Vice President of Prisma Cloud at Palo Alto Networks.

Alongside the security providers, Google Cloud is also expanding its support with systems integrators and managed services providers, including Deloitte, IBM Security, Wipro and more.

The aim of such partnerships, says Google, is to make it easier for its cloud customers to more easily use their preferred security tools from existing vendors. “We want to meet you where you are, allowing you to preserve your investments, as well as benefit from functionality you can’t get on other clouds,” said Ichhpurani and Potti. “That’s why we work closely with partners in the security industry to help you better secure your applications and information.”