An overwhelming majority of brokerage and investment advisory firms examined by the U.S. Securities and Exchange Commission (SEC) have been the subject of a cyber-attack.

In its recent ‘Cybersecurity Examination Sweep Summary‘ report, the SEC took a look at 57 registered broker-dealers and 49 registered investment advisors. Eighty-eight percent of the broker-dealers and 74 percent of the advisers stated that they have experienced cyber-attacks either directly or through one or more of their vendors.

The majority of the cyber-related incidents are related to malware and fraudulent email. In fact, more than half of the broker-dealers (54 percent) and 43 percent of the advisers reported receiving fraudulent emails seeking to transfer client funds. More than a quarter of those broker-dealers reported losses in excess of $ 5,000 related to these emails, with no single loss being greater than $ 75,000. Twenty-five percent of the broker-dealers confessing losses related to the emails said the damage was the result of employees not following their firm’s identity authentication procedures.

<a href="http://redirect.viglink.com?key=11fe087258b6fc0532a5ccfc924805c0&u=http%3A%2F%2Fwww.securityweek.com%2Fcybersecurity-healthcare-retail-sectors-lags-behind-utility-and-financial-industries-report%22%3E"Brokers and advisors, especially those who handle very wealthy clients, are used to dealing with substantial sums of money, but they’re also human beings who can be duped by a well-crafted phishing scam,” said Tim Erlin, director of IT security and risk strategy at Tripwire. “Not all of these brokerages are as big as Wells Fargo and Morgan Stanley. Small and medium financial firms are gaining visibility because criminals are walking away with meaningful sums of money. The criminals are becoming more savvy about which kinds of transactions remain under the radar, and the more success they have with these targets, the more of these businesses they go after.”

The good news is the vast majority of examined broker-dealers (93 percent) and advisers (83 percent) have adopted written information security policies, and 89 percent of the broker-dealers and 57 percent of the advisers conduct periodic audits to determine compliance with these policies. For the majority of both broker-dealers (82 percent) and the advisers (51 percent), these written policies discuss mitigating the effects of a cyber-security incident and/or outline the plan to recover from such an incident. These policies however generally did not address how firms determine whether they are responsible for client losses associated with cyber incidents.

While firms identified misconduct by employees and other authorized users of their networks as a significant concern, only a small proportion of the broker-dealers (11 percent) and the advisers (four percent) reported incidents in which insiders engaged in misconduct resulting in the misappropriation of funds, securities, sensitive client or firm information, or damage to the firms’ networks. 

The vast majority of examined firms conduct firm-wide risk assessments on a periodic basis to identify cybersecurity threats, vulnerabilities and any potential impact to business. While most of the broker-dealers (93 percent) and advisers (79 percent) reported considering such risk assessments in establishing their cybersecurity policies and procedures, fewer firms applied these requirements to their vendors. While 84 percent of the brokerage firms require cyber-security risk assessments of vendors with access to their firm’s networks, only 32 percent of the advisers do so.

“Cybersecurity threats know no boundaries,” said SEC Chair Mary Jo White, in a statement. “That’s why assessing the readiness of market participants and providing investors with information on how to better protect their online investment accounts from cyber threats has been and will continue to be an important focus of the SEC. Through our engagement with other government agencies as well as with the industry and educating the investing public, we can all work together to reduce the risk of cyber attacks.”

Tags:

• NEWS & INDUSTRY
• Vulnerabilities

About.com, the online resource website visited by tens of millions of users each month, is plagued by several types of potentially dangerous vulnerabilities, a researcher revealed on Monday.

According to Wang Jing, a PhD student at the Nanyang Technological University in Singapore, a large majority of the pages on About.com are vulnerable to cross-site scripting (XSS) and cross-frame scripting (XFS/iFrame injection) attacks.

The expert tested close to 95,000 About.com links with a script he developed and determined that at least 99.88% of them are vulnerable. The search field on the website’s homepage is also plagued by an XSS flaw which, according to Jing, means that all the domains related to about.com are vulnerable to XSS attacks.

In order to exploit XSS vulnerabilities, an attacker needs to convince the victim to click on a specially crafted link. XSS attacks can be used to alter the appearance of a website, access potentially sensitive information, and spy on users.

XFS attacks can be used to steal data from websites accessed by the victim. For the attack to work, a malicious actor must get the user to access a Web page he controls. Such vulnerabilities can also be exploited for distributed denial-of-service (DDoS) attacks, the expert noted.

Jing has also identified open redirect bugs on several About.com pages. The vulnerabilities can be leveraged to trick users into visiting phishing and other malicious websites by presenting them with a link that apparently points to an about.com page.

“The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04)，Apple Safari 6.1.6 of Mac OS X Lion 10.7,” the researcher said in a blog post.

About.com was notified of the existence of the vulnerabilities back in October 2014, but so far the company hasn’t done anything to address them, the researcher said. About.com hasn’t responded to SecurityWeek’s requests for comment.

Poof-of-concept (PoC) videos for the XSS vulnerability on the About.com homepage and the open redirect flaw have been published by the researcher. 

Tags:

• NEWS & INDUSTRY
• Vulnerabilities

Paris – After having used the Internet profusely for propaganda and recruitment, jihadist organizations have realized that investigators are gleaning crucial information online and are increasingly concealing their web presence, experts say.

Apart from recent orders given to fighters to limit their exposure, erase the footprint of their online activity and avoid revealing too many place names or faces, the Islamic State and Al-Nusra Front groups are increasingly using the “Dark Web” — the hidden part of the Internet protected by powerful encryption softwares.

“Sometimes we get the geographical location of some fighters thanks to Facebook,” Philippe Chadrys, in charge of the fight against terrorism at France’s judicial police, said earlier this week.

“Some even publish it on the public part of their account. That gives us elements to build a case. Because of course we don’t go to Syria, we have no one on the ground, and we lack proof.”

In November, Flavien Moreau, a 28-year-old jihadist who travelled to Syria and then returned to France, was jailed for seven years exclusively on the basis of what he posted online.

And those who just months ago had happily posted videos, photos of themselves holding Kalashnikovs or of beheadings on Facebook have now realised that they were single-handedly building a case against themselves, if they ever decided to come home.

“We are starting to notice the beginnings of disaffection with Facebook — they have understood that’s how we get incriminating evidence,” said Chadrys.

Related Content: ISIS Cyber Ops: Empty Threat or Reality?

“They are resorting more and more to Skype or WhatsApp, software that is much harder to intercept. “We realise that the people we are interested in are increasingly specialised in computing. They master encryption software and methods to better erase data.”

‘Cyber-surveillance’ key

Chadrys also said that jihadists were increasingly using the “Dark Web.”

“That makes our probes much more complicated. The terrorists are adapting, they understand that the telephone and Internet are handy, but dangerous.

He pointed to Mehdi Nemmouche, saying last year’s alleged Brussels Jewish museum killer had no mobile phone and no Facebook account.

Faced with this problem, police are resorting to calling in cryptography and computing experts, but there are never enough, which slows down investigations.

Last autumn, the Islamic State group (IS) published guidelines for its members, asking fighters not to tweet precise location names, to blur faces or stop giving too many details about on-going operations.

“Security breaches have appeared, which the enemy has taken advantage of,” read the text, written in Arabic.

“The identity of some brothers has been compromised, as have some sites used by mujahedeen. We know that this problem does not only involve photos, but also PDF, Word and video files.”

In a recent report, Helle Dale of the US-based Heritage Foundation think-tank wrote that cyber-surveillance was key to the fight against IS “as human intelligence is hardly available on the ground, especially in Syria, and the number of unmanned drones is limited.”

But, she added, the group “is changing is communications strategy. It is encrypting its electronic communications, limiting its presence online and using services that delete messages as soon as they are sent.”

Related: ISIS Cyber Ops: Empty Threat or Reality?

Tags:

• Cyberwarfare
• NEWS & INDUSTRY

InfoArmor, a provider of fraud and identify theft protection services, has acquired cybercrime research firm IntelCrawler for an undisclosed sum.

With IntelCrawler under its belt, Scottsdale, Arizona-based InfoArmor plans to form a new Enterprise Threat Intelligence unit that will help customers discover and block attacks targeting intellectual property.

Founded in 2013 by Dan Clements and Andrew Komarov, IntelCrawler offers threat intelligence, data and security research services to large corporate and government clients.

Komarov previously worked for Russian cybercrime research firm Group-IB.

“InfoArmor is thrilled about joining forces with Dan, Andrew and the IntelCrawler team,” said John Schreiber, InfoArmor’s president, adding that IntelCrawler’s data, intelligence and research capabilities are beneficial for its clients, who are pushing for threat identification, assessment, and attribution. 

“Using IntelCrawler’s context-aware intelligence and operative human intelligence, we will now be able to connect even more dots between cyber intelligence and emerging enterprise threats,” said Drew Smith, CEO of InfoArmor.

The cash and stock transaction was completed on Jan. 23, 2015.

Tags:

• NEWS & INDUSTRY
• Cybercrime

The Malaysia Airlines website was commandeered Monday by hackers who referenced the Islamic State jihadists and claimed to be from the “Lizard Squad”, a group known for previous denial-of-service attacks.

The website’s front page was replaced with an image of a tuxedo-wearing lizard, and read “Hacked by LIZARD SQUAD — OFFICIAL CYBER CALIPHATE”.

It also carried the headline “404 – Plane Not Found”, an apparent reference to the airlines’ puzzling loss of flight MH370 last year with 239 people aboard.

Media reports said versions of the takeover in some regions included the wording “ISIS will prevail”.

The airline did not immediately respond to a request for comment.

The Lizard Squad is a group of hackers that has caused havoc in the online world before, taking credit for attacks that took down the Sony PlayStation Network and Microsoft’s Xbox Live network last month.

The Islamic State, an extremist Sunni Muslim group, has seized large swathes of Syria and Iraq, where it has declared an Islamic “caliphate”.

It has drawn thousands of fighters from across the globe to its anti-Western cause, and shocked the world with its video-taped executions of journalists and other foreigners it has captured, the most recent being a Japanese security contractor it claimed Sunday to have beheaded.

A second Japanese captive being held by the militants has also been threatened with execution.

The IS group, which uses social media in recruiting and spreading its message, is believed to harbour ambitions of launching a cyber-war against the West.

It is unclear why Malaysia Airlines was targeted.

But concern has been rising in Malaysia after scores of its citizens were lured to the IS cause in the Middle East. Malaysian authorities last week said they have detained 120 people suspected of having IS sympathies or planning to travel to Syria.

Tags:

• NEWS & INDUSTRY
• Cybercrime

Malware developers have used the source code of the remote access tool (RAT) Njw0rm to create two new RATs, researchers at Trend Micro reported on Thursday.

Njw0rm is a variant of njRAT, a tool believed to be developed by a Kuwait-based individual. In June 2014, Microsoft announced the results of an operation targeting njRAT (Bladabindi) and Njw0rm (Jenxcus). At the time, the company noted that cybercriminals could create their own versions of the malware because the necessary information and packages were available on public forums.

Trend Micro says the source code of Njw0rm was published on hacker forums in May 2013, after which cybercriminals started creating new pieces of malware based on the threat.

One of the new RATs is Kjw0rm. Version 2.0 of the malware was first spotted by the security firm in January 2014. Kjw0rm 0.5X and a new worm dubbed Sir DoOom emerged in December 2014.

The new pieces of malware come with an enhanced control panel and they include several new features not seen in Njw0rm. In addition to information on the victim’s IP address, location, operating system, and USB devices, Kjw0rm’s control panel includes data on installed antiviruses (v2.0) and the presence of the .NET framework (v0.5x). Sir Do0om, on the other hand, also provides the botmaster with information on RAM, firewalls, antiviruses, CPU/GPU, and product details (name, ID, key).

As far as functions are concerned, Njw0rm can execute commands and files, steal credentials, and receive updates from the attacker. The Kjw0rm RATs allow their master to shut down or restart the computer, open Web pages, and download and execute files and code.

Sir Do0om is even more interesting since it can be used to mine Bitcoin, launch DDoS attacks, control computers based on a timer, display messages, terminate antivirus processes, and open a website related to Quran, the central religious text of Islam. This RAT is also designed to terminate itself if the presence of a virtual machine is detected.

Just like Njw0rm, the new threats are designed to propagate via removable devices. They hide some or all the folders found on the infected device and create shortcut links pointing to the malware with the names of the hidden folders.

“This evolution shows that the malware authors are becoming more active in developing new malware and using njw0rm as a template. Because of this pattern, we can expect to see more variants of this malware in the future,” Trend Micro threat response engineer Michael Marcos said in a blog post.

Tags:

• NEWS & INDUSTRY
• Virus & Malware

Oracle has pushed out a massive number of patches in a security update, including critical fixes for Java SE and the Oracle Sun Systems Products Suite.

Overall, the update contains nearly 170 new security vulnerability fixes, including 36 for Oracle Fusion Middleware. Twenty-eight of these may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password. 

The most serious of the bugs however impact Java SE, Fujitsu M10-1, M10-4 and M10-4S. In the case of Java SE, a CVSS Base Score of 10.0 was reported for four distinct client-only vulnerabilities (CVE-2014-6601; CVE-2015-0412; CVE-2014-6549; and CVE-2015-0408).

“Out of these [Java] 19 vulnerabilities, 15 affect client-only installations, 2 affect client and server installations, and 2 affect JSSE installations,” blogged Oracle Software Security Assurance Director Eric Maurice. “This relatively low historical number for Oracle Java SE fixes reflect the results of Oracle’s strategy for addressing security bugs affecting Java clients and improving security development practices in the Java development organization.”

In the case of the Oracle Sun Systems Products Suite, CVE-2013-4784 has a CVSS rating of 10.0 and affects XCP Firmware versions prior to XCP 2232. Overall, there are 29 security fixes for the suite.

The update also includes eight new security fixes for Oracle Database Server, none of which are remotely exploitable without authentication. Oracle MySQL has nine security fixes. There are also: 10 fixes for Oracle Enterprise Manager Grid Control; 10 for Oracle E-Business Suite; six for the Oracle Supply Chain Products Suite; seven security fixes for Oracle PeopleSoft products; 17 for Oracle Siebel CRM; one for Oracle JD Edwards Products; two for Oracle iLearning; two for Oracle Communications Applications; one for Oracle Retail Applications; one for Oracle Health Sciences Applications and 11 new security fixes for Oracle Virtualization. 

“The challenge with the Oracle CPU is, quarter after quarter, there is so much in these advisories,” said Ross Barrett, senior manager of security engineering at Rapid7. “There are so many different, unrelated platforms, that administrators risk missing something that might apply specifically to a very niche version of hardware that might be in their environment.”

Tags:

• NEWS & INDUSTRY
• Vulnerabilities

Washington – Hackers took over the Twitter accounts of the New York Post and United Press International on Friday, writing bogus messages, including about hostilities breaking out between the United States and China.

One tweet posted under the UPI account quoted Pope Francis as saying, “World War III has begun.”

Another message delivered on the Post account said the USS George Washington, an aircraft carrier, was “engaged in active combat” against Chinese warships in the South China Sea.

The tweets were subsequently deleted.

A Post tweet later noted that “Our Twitter account was briefly hacked and we are investigating.”

The fake tweets were not just about war. One posted on UPI said “Just in: Bank of America CEO calls for calm: Savings accounts will not be affected by federal reserve decision.”

The Post is owned by Rupert Murdoch’s News Corp. Several media organizations have had their Twitter feeds hacked over the past two years including Agence France-Presse, the BBC and others.

A Pentagon official said the tweet about hostilities with China was “not true.”

Tags:

• Cyberwarfare
• NEWS & INDUSTRY
• Cybercrime

The official website of the popular source code editor Notepad++ was hacked and defaced on Monday by hacktivists protesting against the recently released “Je suis Charlie” edition of the application.

Hackers of the Fallaga Team, a Tunisian group, breached and defaced a large number of French websites following the Charlie Hebdo incident in which 12 people were killed by two masked gunmen.

The website of Notepad++ (notepad-plus-plus.org) became a target after the release of version 6.7.4, “Je suis Charlie” edition.

The attackers defaced the website with a message in which they accused Notepad++ developers of saying that “Islam is terrorist.”

In a statement published on Thursday, Don Ho, the France-based developer of Notepad++, clarified that the hackers have not compromised the binaries of the “Je suis Charlie” edition because they are stored on a different server.

“The message of the defacement accused Notepad++ of inciting hatred towards Islam and accusing Islam of supporting terrorism. The statements of Notepad++ ‘Je suis Charlie’ edition support nothing but the freedom of expression and only that. The fact of Notepad++ supporting the ‘Je suis Charlie’ movement has nothing to do with any accusation towards a specific community,” Ho explained.

“In fact the ‘Je suis Charlie’ movement in France, as far as I can tell, deserves no label of racism or of Islamophobia. I have many Muslim friends who are for ‘Je suis Charlie’. And sincerely, I don’t think that two extremist fools can stand for all Muslims or Islam itself,” he added.

The developer highlighted that those who don’t like the “Je suis Charlie” edition can simply use version 6.7.3, which contains the same features and bug fixes.

Hundreds of French websites have been defaced over the past days. Islamist hackers started launching attacks after some members of the Anonymous hacktivist movement initiated an anti-jihadist campaign in response to the Charlie Hebdo shooting.

The Charlie Hebdo incident has given hacktivists a reason to deface websites, but it has also given cybercriminals the opportunity to lure unsuspecting users to their shady websites. Researchers at OpenDNS discovered a fake BBC News website earlier this week. The site was shut down before experts could determine its purpose, but it could have been used to serve malicious content, redirect users to other websites, or for click fraud purposes.

Tags:

• NEWS & INDUSTRY
• Cybercrime

Hackers supporting Islamic State jihadists briefly took control of the Twitter and YouTube accounts of the U.S. Central Command (CENTCOM), the Department of Defense confirmed Monday.

In the attack, hackers replaced the main banner for CENTCOM’s Twitter account with an image of a masked fighter along with the words “CyberCaliphate” and “I love you ISIS”.

The attackers Tweeted and posted a message to Pastebin saying, “You’ll see no mercy infidels. ISIS is already here, we are in your PCs, in each military base. With Allah’s permission we are in CENTCOM now. We won’t stop! We know everything about you, your wives and children. U.S. soldiers! We’re watching you!” 

The attackers also posted information and details on Military personnel and photos, including a phone directory of officers, which some say it out-of-date and already publically available.

“We can confirm that the US Central Command Twitter and YouTube accounts were compromised earlier today. We are taking appropriate measures to address the matter,” a Deparment of Defense representative said in a statement.

Related: ISIS Cyber Ops: Empty Threat or Reality?

The @CENTCOM Twitter account was suspended at the time of publishing, but the Department of Defense said that it has regained control of the compromised accounts.

“The account compromised was timed with the release of a couple of sensitive documents on Pastebin, which appears to have been designed to intimidate US soldiers,” Trey Ford, Global Security Strategist at Rapid7, told SecurityWeek. “One thing to note: the Sony document dumps were laced with malware, and I expect these files may also be part of a targeted malware campaign targeting military analysts and their families.”

“This attack looks to be the same actors as the WBOC and Albuquerque Journal‎ attacks last week,” Ian Amit, Vice President at ZeroFOX, said. “The verbiage is the same, the behavior is the same, the hashtags are the same — all indicators suggest this is the same group. The full extent of the damage: 3 Twitter accounts and 1 YouTube account.”

“Much of this appears to be simply scare tactics,” Amit added. “All of the “leaked” documents are in fact public domain, repackaged to look like a real data breach. These actors are trying to make themselves look more legitimate by threatening soldiers wives and claiming to have mobile access. In truth, they likely only stole a password, either through a phishing scam or a brute-force attack.”

On Sunday, European, US and Canadian security ministers said that increased Internet surveillance and tighter border checks were “urgently” needed to combat jihadist attacks of the sort that shocked Paris last week. 

U.S CENTCOM promotes cooperation among nations, responds to crises, and deters or defeats state and non-state aggression.

One of nine unified commands in the U.S. military, CENTCOM’s has an area of responsibility in the central area of the world consisting of 20 countries, including Afghanistan, Iran, Iraq, Jordan, Kazakhstan, Kuwait, Kyrgyzstan, Lebanon, Oman, Pakistan, Qatar, SaudiArabia, Syria, Tajikistan, Turkmenistan, United Arab Emirates, Uzbekistan, and Yemen.

The attacks against CENTCOM came just as President Obama give an address and announced a series of initiatives designed to enhance the nation’s cybersecurity and privacy environment.

Related: ISIS Cyber Ops: Empty Threat or Reality?

Related: Social Media a Key Element for Terror Groups

Tags:

• Cyberwarfare
• NEWS & INDUSTRY