Tag Archive for: face

How to face the new challenges in an ever-expanding – and risky – internet environment

/in


Two decades ago, we kept everything relatively simple by containing our organization’s technology footprint within the closed fortress that was the corporate network. The IT staff determined which tools to deploy, and the security team figured out how to best protect them and the network.

This seems a distant memory now, thanks to modern innovation: Work-from-home (WFH) arrangements continue to transform the traditional office culture, with spikes in cloud adoption, shadow IT, and Bring Your Own … Everything. The resulting widespread connectivity has boosted productivity. But it has also ushered in a new era of exposure because of a vastly increased attack surface.

Subsequently, chief information security officers (CISOs) and their teams can no longer afford to view their roles as an “after the fact,” reactive responsibility. They must instead take proactive steps to identify all internet-facing assets from the very beginning and protect them. With improved visibility and a “security first” commitment, companies can operate with peace of mind.

To illustrate this, we recently published research in which we evaluated the presence of a variety of risks and vulnerabilities in random samples of 2.2 million hosts in our Universal Internet Dataset (UIDS). Here’s what we found:

  • WFH brings new challenges. Connecting remotely, employee-users are expanding the attack surface, although it’s an unintended result of their actions in most cases. Post-pandemic remote work has driven a 59%  increase in the use of tools and devices not approved by IT (commonly called shadow IT), leading to unmanaged devices/services because IT and security teams are left out of the conversation. What’s more, we have found that organizations now use an average of 44 different domain registrars and 17 hosting providers – another likely outcome of shadow IT that further contributes to visibility issues.
  • Misconfigurations and exposures create the most risks. Misconfigurations – such as unencrypted services, insufficient or missing security controls, and self-signed certificates – account for about 60% of internet risks. Exposures of services, devices and information represent 28%.
  • Exposures are not…

Source…

300+ gallons for $30? Men accused of using device to steal gas face felony charges

/in


NASSAU COUNTY, Fla. – Two men accused of stealing hundreds of gallons of fuel from a 7-Eleven gas station each face a felony charge of grand theft, as well as other charges, according to the Nassau County Sheriff’s Office.

Investigators said deputies were called to the gas station Monday on Lofton Square Court, where they determined two men had installed a device on a gas pump that restricts the flow meter on its pumping system. Arrest reports state the suspects used a key to open the pumps and place the manipulator inside and then used a small remote to control the device.

According to the Sheriff’s Office, the first theft was of 367 gallons of fuel valued at $1,757.93 — but the pump only showed a charge of $30.

The Sheriff’s Office said deputies determined the same two men were involved in a second theft. Investigators said just before the deputy arrived, the men had been pumping for approximately 10 minutes and took approximately 114 gallons of gas valued at about $546.

Ad

“It was determined that the suspects opened the gas pump cabinet using a key without authorization and knowingly and willfully installed a device, which caused the electronic computer system to understate the amount of fuel being pumped,” the Sheriff’s Office reported.

The two men arrested were identified as Ramon Vila-Garcia and Silvio Richard Aguila. Both are both being held at the Nassau County jail.

Booking photos for Ramon Vila and Silvio Aguila provided by Nassau County Sheriff’s Office.

We spoke with cyber security expert Chris Hamer about the device the men were accused of using.

“It was obviously designed by somebody with internal knowledge of the machines because it is custom-made for intercepting the signal from the actual fuel flow meter and modifying it or replacing it with a slower count,” Hamer explained. “So the computer thinks less gasoline is passing through the pipe than it actually is.”

Hamer said devices like the one found by investigators are used by members of organized theft rings that target gas stations all across the U.S.

Ad

“The Secret Service is currently monitoring 40 groups in Florida alone,” Hamer said. “It’s a nationwide problem. It’s a worldwide problem…

Source…

Car thieves face curbs on online sales of key hacking technology fuelling surge in crime

/in


Criminal gangs of car thieves face new legal curbs to prevent them buying DIY devices online to hack keyless technology and steal vehicles.



TELEMMGLPICT000296745048.jpeg - Moment RF

© Moment RF
TELEMMGLPICT000296745048.jpeg – Moment RF

Ministers and police chiefs are considering legislation to close loopholes that allow the devices to be bought online on sites including eBay and Amazon.

Amid a surge in thefts, the Telegraph found firms freely selling electronic equipment to hack keyless cars, jammers to disable trackers and modern “skeleton” keys to open and drive away vehicles.

Police chiefs and motor manufacturers are concerned the ready availability of the technology is fuelling a rise in car thefts which increased by 14 per cent last year to more than 105,000.

Criminals are getting the equipment online and then “productionizing” it for cheap mass use by gangs of thieves, according to Thatcham Research, the motor insurers’ automotive research centre.

Kit Malthouse, the policing minister, held a summit of police and car industry chiefs last week to consider counter measures and is understood to be “open” to new laws to close the loopholes.

Assistant chief constable Jenny Sims, the National Police Chief Council’s (NPCC) lead on vehicle crime, said she was engaged in a “big piece of work” with the online firms to prevent sales of the devices to criminals and restrict it to legitimate businesses like garages, car dealers and locksmiths.

“We are looking at whether or not there are any legislative changes we can make, but at the same time we are working with sellers as legislation takes time. We’d rather do it voluntarily through the sellers who are cooperating,” she said.



TELEMMGLPICT000000835508.jpeg - PA

© Provided by The Telegraph
TELEMMGLPICT000000835508.jpeg – PA

It is not illegal to sell, buy or possess the technology but police can arrest prospective thieves if they have the equipment with them and can be shown to be “going equipped” to steal a vehicle.

One company based in Bulgaria offered an off-the-shelf “car relay attack unit.” This enables one member of a gang to scan and capture the signal from a keyless fob in a house before “relaying” it to a colleague by the car to open it and drive it…

Source…

Former Uber chief security officer to face wire fraud charges over coverup of 2016 hack

/in


A U.S. District Court judge has ruled that former Uber Technologies Inc. Chief Security Officer Joe Sullivan must face wire fraud charges over allegations that he covered up a security breach involving the theft of 57 million passenger and driver records.

Sullivan (pictured) was initially charged in August 2020 with obstruction of justice and “misprision” or concealment of a felony by the U.S. Attorney’s Office in the Northern District of California. The Department of Justice added three additional changers against Sullivan in December, claiming that he arranged to pay money to two hackers to conceal the hacking.

Reuters reported Tuesday that lawyers for Sullivan argued prosecutors did not adequately allege he concealed the hacking to ensure that Uber drivers would not flee and would continue paying service fees. Judge William Orrick also rejected a claim that Sullivan was only attempting to deceive Uber’s then-Chief Executive Officer Travis Kalanick and Uber’s general counsel, not drivers.

“Those purported misrepresentations, though not made directly to Uber drivers, were part of a larger scheme to defraud them,” Orrick wrote.

The theft of the 57 million records took place in 2016 and came after Sullivan had assisted the Federal Trade Commission concerning Uber’s security practices following an earlier breach in 2014. Sullivan was made aware of the 2016 hack 10 days after providing testimony to the FTC but allegedly took steps to hide the details.

It is alleged that Sullivan paid the hackers by funneling the payoff through Uber’s bug bounty program. Sullivan also sought to have the hackers sign nondisclosure agreements that included a false representation that the hackers did not take or store any data. It was also alleged that Kalanick was aware of Sullivan’s actions.

The details of the hack only came to light when current CEO Dara Khosrowshahi took over the reins at Uber, but even then, Sullivan allegedly deceived the new management team by failing to provide them with critical details.

Uber paid $148 million in September 2018 to settle various investigations into the hack and it failed to disclose it at the time it happened. The two hackers were…

Source…