In Development
Receive Invite When Available
Receive Invite When Available
Receive Invite When Available
Receive Invite When Available
Elements Financial Credit Union hired its first full-time fraud investigator last September in an effort to thwart socially engineered schemes waged against call centers as well as debit fraud linked to card breaches, says Chris Sibila, executive vice president of payments and technology at the $1.3 billion institution based in Indianapolis.
And the new position has already more than paid for itself by ensuring the credit union is catching and stopping fraud sooner, Sibila says in an interview with Information Security Media Group conducted at CO-OP Financial Services' recent THINK 17 conference in New York.
Creating the new position "was born from the fact that we were seeing a lot more losses in our debit card portfolio, because we hadn't quite finished the EMV conversion yet," he adds. "We really needed someone who could come in, look at things - not only in our cards, but check fraud, ACH and wires, just everything and even the authentication processes our contact center uses - to make sure they're really talking to the member. And one of the things I told him immediately is that all you have to figure out is how to pay for yourself ... by stopping and detecting things early, or protecting our members."
In this interview (see audio link below photo), Sibila also discusses:
Why the LinkedIn data leak of 2016 has had a dramatic impact on credit union members and Element Financial's ability to authenticate using conventional methods; How phishing attacks waged against the credit union's employees have continued to come in waves; and Why Elements Financial no longer automatically reissues debit and credit cards after a breach.Sibila, who joined Elements Financial in August 2015, oversees all lines of business related to payments and technology. Previously, he served as director of product management and global consumer technology at Citibank and as COO at Atlantic Bank & Trust.
Google today announced a series of improvements to Gmail’s security aimed at making the service better at protecting business data.
As part of the newly rolled out update, Gmail will provide customers with early phishing detection capabilities and "click-time warnings" for malicious links that might have been included in messages coming from outside sources. External reply warnings were also rolled out to help prevent data loss, Andy Wen, Senior Product Manager, Counter Abuse Technology at Google, says.
Gmail’s updated phishing detection mechanism takes advantage of machine learning, and Wen claims the service can keep sneaky spam and phishing messages out of customers’ inboxes with an over 99.9% accuracy. He also points out that 50%-70% of all messages received in Gmail are spam.
To improve their spam detection accuracy, Google launched early phishing detection, a dedicated machine learning model designed to selectively delay messages to perform rigorous phishing analysis. Only potentially suspicious messages will be flagged and delayed to perform additional checks on their content.
According to Wen, this should impact less than 0.05% of messages on average but should result in improved user data protection. In some cases, the additional checks could result in some messages arriving in the user’s inboxes with a delay of up to 4 minutes.
The feature, however, isn’t meant to replace anti-malware/phishing software, and admins can control it from the Admin console. The feature is launched On by default, Google says.
Paired with Google Safe Browsing machine learning, the detection models also aim at finding phishy and suspicious URLs and flagging them to the user.
These models leverage techniques such as reputation and similarity analysis on URLs, thus resulting in Gmail generating new URL click-time warnings for phishing and malware links. The feature was rolled out for Gmail on Android in the beginning of the month.
Aiming at preventing data loss, Gmail now displays unintended external reply warnings to users when they try to respond to someone outside the company domain. The service should know if the recipient is an existing contact or someone the user interacts with regularly, thus avoiding unnecessary warnings being displayed.
“This feature can give enterprises protection against forged email messages, impersonation, as well as common user-error when sending mail to the wrong contacts,” Google explains.
In addition to these enhancements, Google’s email service also received new built-in defenses against ransomware and polymorphic malware, meant to help it block millions of other messages that could potentially harm users.
The feature is meant to correlate spam signals with attachment and sender heuristics, and should result in successfully predicting messages containing new and unseen malware variants, Sri Somanchi, Product Manager, Gmail anti-spam, says.
“We classify new threats by combining thousands of spam, malware and ransomware signals with attachment heuristics (emails that could be threats based on signals) and sender signatures (already marked malware),” Wen notes.
Related: Gmail Delivers Spoofed Messages Without Warning, Researchers Find
Related: Gmail to Block JavaScript File Attachments
A special report on cybersecurity during the era of Donald Trump is featured in the latest edition of the ISMG Security Report.
In the Security Report, you'll hear (click on player beneath player to listen) excerpts from the May 16 keynote panel at Information Security Media Group's Breach Prevention Summit in Washington, featuring:
Christopher Krebs, special counsel to Homeland Security Secretary John Kelly, who joined the department earlier this year from Microsoft, where he served as director of cybersecurity policy. During the last two years of the George W. Bush administration, he served as a policy adviser at DHS. Ari Schwartz, managing director of cybersecurity services and policy at the Venable law firm. He held senior cybersecurity policy positions at the Barack Obama White House, including special assistant to the president, and the Department of Commerce. Before joining the government, Schwartz was vice president and chief operating office at the advocacy group Center for Democracy and Technology. Jeremy Grant, managing director at the security consultancy The Chertoff Group and former senior executive adviser for the National Strategy for Trusted Identities in Cyberspace, based at the National Institute of Standards and Technology. Randy Sabett, special counsel focused on cybersecurity and privacy at the law firm Cooley. A former crypto-engineer at the National Security Agency, he served on the Commission for Cybersecurity for the 44th President. Steven Chabinsky, global chair of data, privacy and cybersecurity at the law firm White & Case, and former deputy assistant director for cyber at the FBI. He served on Obama's Commission on Enhancing National Cybersecurity.The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Check out our May 23 and May 26 reports that respectively analyze an investigation into security failures associated with voice biometric access to HSBC's telephone banking service and DHS Secretary John Kelly's congressional testimony on how DHS led government efforts to mitigate the WannaCry ransomware attacks.
The next ISMG Security Report will be posted on Friday, June 2.
Theme music for the ISMG Security Report is by Ithaca Audio under a Creative Commons license.
Cybersecurity , Ransomware , Technology
Ethical Debate: OK to Pay Shadow Brokers for Exploit Dumps? Goal of Crowdfunding by Security Researchers Is to Prevent Future WannaCrys A crowdsourced, coordinated-disclosure effort seeks to pay Shadow Brokers a monthly subscription fee to obtain and hopefully prevent future outbreaks of the WannaCry variety."Covfefe" is many people's word of the day, thanks to President Donald Trump apparently fat-fingering a Tuesday late-night tweet.
See Also: Three and a Half Crimeware Trends to Watch in 2017
"Ethics," however, is the word of the day in the information security sphere, as the community debates whether it's acceptable to pay the exploit-leaking group known as the Shadow Brokers.
Debates rage after two researchers made that move, in the wake of Shadow Brokers promising to provide a first look at its monthly release of new exploits to anyone who pays a fee in a cryptocurrency called zcash. Currently, the fee being demanded - 100 zcash per month - is worth about $24,000.
Via the crowd-funding site Patreon, Matthew Hickey - cofounder and director of security firm Hacker House, based in Manchester, England - and the French security researcher known as X0rz, have launched an effort they've dubbed the Shadow Brokers Response Team.
"The goal here is to raise sufficient funds from interested parties to purchase a subscription to the new data leak," the researchers write in their pitch, noting that the effort will be supported by three other well-known security researchers - Nicholas Weaver, Tarah M. Wheeler and Tim Strazzere.
Specifically, the researchers are looking to raise 100 zcash coins, purchase them from a reputable exchange, transfer then to the Shadow Brokers, hopefully get information back from the group, and then analyze that data and disclose it privately to affected organizations.
By Wednesday morning British Time, about a dozen backers had pledged $1,700.
"We will notify vendors and share data with any researchers who are involved," Hickey, who tweets as Hacker Fantastic, says via Twitter. "We will be expecting responsible disclosure practices."
#ShadowBrokers crowdfunding with @hackerfantastic, you can fund using 1Crowd7HcL54mfHdkgwBDaCP8hegirqra2 https://t.co/8iTBi0jtKM pic.twitter.com/3UuVormJ1K
Shadow Brokers, which first set up online shop in August 2016, remains shrouded in mystery. Some speculate it may be a disgruntled U.S. government employee or a foreign intelligence agency. What is clear, however, is that the group has been leaking powerful attack tools, which it says originated with the Equation Group - a nickname for what security experts believe is the National Security Agency's network infiltration unit, called the Tailored Access Operations team.
Earlier this month, in a rambling online post, Shadow Brokers announced that they'd be launching an exploit-of-the-month service.
On Monday, Shadow Brokers drained its bitcoin account, and on Tuesday it released further details of its monthly dump service.
The terms: Anyone who sends 100 zcash, aka ZEC, by June 30 will receive a "mass email" sometime between July 1 and July 17 containing a link and password to obtain the group's June dump.
The group's pitch - written in the typical Shadow Brokers style, including rambling and difficult-to-read asides - makes no guarantees, claims or assurances about its offer, or its use of zcash.
"If you caring about loosing $20k+ Euro then not being for you," the offer reads. "Monthly dump is being for high rollers, hackers, security companies, OEMs, and governments. Playing 'the game' is involving risks. Zcash is having connections to USG (DARPA, DOD, John Hopkins) and Israel. Why USG is 'sponsoring' privacy version of bitcoin?"
Shadow Brokers had previously attempted to ransom exploits in return for a preset quantity of bitcoins, but saw an insufficient number of takers.
The monthly subscription offer follows Shadow Brokers having leaked in April an Equation Group attack tool called EternalBlue that targets a flaw in the Windows server messaging block. The flaw was used by unknown attackers earlier this month to launch an SMB-targeting worm designed to infect systems with WannaCry ransomware (see Teardown: WannaCry Ransomware).
Hickey tells me he sees paying the monthly subscription fee to be the least worst option for trying to blunt these types of devastating attacks in the future.
"Would I have paid £17,000 to stop the spread of WannaCry and keep the tools out of criminals hands? Absolutely," Hickey says.
Ethically speaking, Hickey says the NSA could choose to undercut the Shadow Brokers subscription service.
"In an ideal world the [U.S.] government would make a statement about exactly what they developed and what they have lost, what is in the possession of blackhats and available to criminals so that we can defend against it," he tells me. "If they want to make that statement we will happily withdraw our attempt, however we are currently in the dark defending against adversaries whose tools are engineered by nation states."
To date, Shadow Brokers has released weaponized exploits that target technology from the likes of Cisco, Juniper, Linux, Microsoft Windows and Solaris.
Hickey, who launched a Twitter poll querying the community's response to the move, acknowledges that the subscription service may be a ruse. "They could of course have nothing at all, but if we do not attempt to at least find out then we cannot say we did everything in our power," he says.
Reaction from the information security community to Hickey and X0rz's move has been mixed. For some, it all sounds like a plot cooked up by dystopian science-fiction author William Gibson.
"Crowdfunding to buy nation state exploits from an anonymous group using untraceable cryptocurrency. The future got real cyberpunk real fast," says Brendan Dolan-Gavitt, an assistant professor at New York University, via Twitter.
In general, however, some information security professionals have come out in support of the plan, while others say they're against it.
"I'd rather form a team of uniquely talented folks to liberate the exploits back from SB and responsibly disclose all," information security professional Joe Harris says via Twitter in response to Hickey's poll.
Is a KickStarter project to pay Shadow Brokers subscription ($20k) and then perform analysis on it and responsible disclosure a good idea?
Some have disparaged the crowdfunding idea, and warned that it could put contributors at risk, legally speaking.
"If InfoSec vendors fund Shadow Brokers ($20k per monthly subscription) leaking Nation State tools I think it's a new low for InfoSec," says U.K.-based security researcher Kevin Beaumont, who tweets as Gossi the Dog. He called on the Equation Group, "whoever they may be," to instead responsibly disclose any and all stolen exploits still in their possession.
Crowd sourcing paying the Shadow Brokers is not my jam. It's indirectly funding crime.
There is a precedent for such moves. For example, Mike McNerney, a former Pentagon cybersecurity official, told the Washington Post that the NSA warned Microsoft about the SMB flaw in Windows after Shadow Brokers leaked the name of the Equation Group tool - EternalBlue - in January (see No Coincidence: Microsoft's Timely Equation Group Fixes). Microsoft released a related SMB fix for supported operating systems in March, after which the exploit was dumped in April. When WannaCry appeared May 12, Microsoft that same day released an emergency SMB patch for three unsupported operating systems: Microsoft XP, Windows Server 2003 and Windows 8.
It's not clear how many other patches from Microsoft and other vendors may already be due to information shared by the NSA or other intelligence firms.
Alan Woodward, a computer science professor at the University of Surrey and a cybersecurity adviser to the EU's law enforcement intelligence agency, Europol, tells me that one of his chief concerns about the question of paying Shadow Brokers is that it "would encourage further such thefts, and so I'm afraid as much as I'd like to see what they have to say, I think it a poor idea."
Furthermore, it's not clear that any of this is actually about financial remuneration.
"I'm not convinced this is about the money. This group appears to be attempting to discredit the agencies it claims created the exploits," he says. "Look what happened when no one paid originally - they let it out anyway. It's really another form of ransom - even if someone does pay then there is no guarantee they won't just publish anyway."
He also voices ethical concerns. "I tend to work from a simple principle: criminals should not profit from their crime. I think this group is criminal - possibly politically motivated - and not some whistle-blowing vigilantes. Ergo, they shouldn't profit," Woodward says. "Maybe I'm being naïve but I worry that by a large number of people saying we'll all pay a little bit towards it, it could start to feel like a victimless crime."
Cybersecurity is a form of asymmetric warfare. The attackers need to only succeed once; the defenders must succeed constantly. The attackers share weapons and methods continuously; the defenders are often isolated silos of private knowledge that comes only from the attacks against themselves. Threat intelligence sharing between the defenders is a primary method of reducing the attackers' inherent asymmetric advantage.
But intelligence sharing is difficult, comprising both human and technology problems. The human element is largely around 'trust' -- with whom can you share potentially sensitive commercial information. The technology problem involves constraining the shared data to intended recipients and ensuring there is no breach of data protection regulations.
These problems have been successfully tackled by seven Fortune 500 companies in Columbus Ohio. They came together in 2014 to form and capitalize the Columbus Collaboratory -- an Information Sharing and Analysis Organization (ISAO). As a private and voluntary ISAO, they solved the 'human' problem. Last week they adopted the TruStar intelligence sharing platform to solve the technology problem.
The Collaboratory comprises seven major non-competitive firms in several separate sectors: Nationwide Insurance, Cardinal Health, LBrands (which includes Victoria's Secret, and Bath & Body Works), Huntington Bank, OhioHealth, American Electric Power, and Batelle. It was formed with $28 million commitment from the members, and a $5 million Ohio Third Frontier Grant.
The non-competitive nature is important. "Columbus lends itself to such an approach," Jeff Schmidt, VP and chief cyber security innovator, told SecurityWeek. "It's an important commercial center, but is not dominated by any one vertical." This allows the members to come together with no fear of disclosing sensitive data to competitors. While Schmidt sees the group potentially growing with new members, he doesn't believe the non-competitive element will ever change.
One of the first things Schmidt did when he joined the organization in October 2016 was to bring the liaison officers from the different companies together. "Nothing encourages trust more than face-to-face meetings," he said -- drawing perhaps from his earlier experience as Director at the InfraGard National Members Alliance.
The Collaboratory offers its members three primary services: cybersecurity, advanced analytics and talent solutions. "By sharing threat intelligence," he said, "we can break out of the silo model, pool ideas and resources, and better protect against cybersecurity threats." But, he added, "One of the nice features is that being completely private, there is no mandatory reporting from the Collaboratory to any outside agency, such as the FBI. In that way, it is different than other government-sponsored information sharing platforms."
These other platforms include ISACs (created by the DHS) and InfraGard (created by the FBI). "We've seen what works and what doesn't work," he said. "A lot of the inhibitors to effective information sharing are legal and philosophical -- if I share this information is the FBI or the NSA going to get it. Removing that variable is a net help." The individual members, many designated as part of the national critical infrastructure, may have their own vertical reporting responsibilities -- but the Collaboratory itself has none.
The final piece of the puzzle came into place last week with the adoption of the TruSTAR information exchange platform. "There is a common desire in business to share intelligence," commented Paul Kurtz, former cybersecurity advisor to the White House and now co-founder and CEO of TruSTAR, "but those legal and philosophical inhibitors have made it difficult."
The TruSTAR platform provides a walled enclave where data can be shared with just the Collaboratory members. Data can be redacted before sharing -- indeed, TruSTAR will automatically detect any likely PII with a point, click and redact facility to prevent its sharing -- and anonymized to prevent attribution. Only data specifically allowed for wider sharing can leave the enclave to be shared among the wider TruSTAR community. In this way, it maximizes sharing both between the members and with the wider community, while protecting any data that should not be shared. This is further enhanced with TruSTAR's selective version capability.
"If members wish to share a redacted document within the Collaboratory, and a more redacted version with the Wider TruSTAR community," added Schmidt, "then TruSTAR can accommodate selective version sharing."
For the most part, the shared information will be indicators of compromise, behaviors, patterns, attackers' infrastructures and not PII. If any PII slips in it can be redacted. In this way, Schmidt believes that the members can stay the right side of data protection regulations, including GDPR when it arrives next year. If anything, the structure imposed upon shared data is likely to make breach notification simpler and more efficient; making it easier for members to comply with GDPR's 72-hour notification requirement.
It's early days for the Columbus Collaboratory; but does the theory work in practice? "Yes," said Kurtz. "One example was a firm that thought it had a staff problem only to find that other companies were having the same problem. It wasn't staff, it was subtle indications of an intruder that only became apparent through intelligence sharing."
The Columbus Collaboratory, aided in this instance by the TruSTAR sharing platform, is unique. But it is an example to other regions where different companies can come together and share their threat intelligence, safely, securely, compliant with data protection regulations, and with no three-letter agency inhibitions.