‘Serious’ Flaw Found in Secure Email Tech

PGP: ‘Serious’ Flaw Found in Secure Email Tech
A widely used method of encrypting emails has been found to suffer from a serious vulnerability, researchers say. PGP (Pretty Good Privacy) is a data encryption method sometimes added to programs that send and receive email.

Details about the vulnerability were released by the Suddeutsche Zeitung newspaper prior to a scheduled embargo.

Previously, the Electronic Frontier Foundation (EFF) had advised immediately disabling email tools that automatically decrypted PGP.

The problem had been investigated by Sebastian Schinzel, at Munster University of Applied Sciences.

After the embargo on releasing details about the vulnerability was lifted, Mr Schinzel and colleagues published their research revealing how the attack on PGP emails worked.

A website explaining the issue has also now been made public.

There was initially concern among cyber-security researchers that the issue affected the core protocol of PGP – meaning that all uses of the encryption method, including file encryption, could be made vulnerable.

However, one provider of software that can encrypt data using PGP explained the problem specifically concerned email programs that failed to check for decryption errors properly before following links in emails that included HTML code.

The issue had been “overblown” by the EFF, said Werner Koch, of GnuPG.

Security expert Mikko Hypponen, at F-Secure, said his understanding was that the vulnerability could in theory be used to decrypt a cache of encrypted emails sent in the past, if an attacker had access to such data.

“This is bad because the people who use PGP use it for a reason,” he told the BBC. “People don’t use it for fun – people who use it have real secrets, like business secrets or confidential things.”

Alan Woodward, at the University of Surrey, agreed, adding: “It does have some big implications as it could lead to a channel for sneaking data off devices as well as for decrypting messages.”

The researchers have said that users of PGP email can disable HTML in their mail programs to stay safe from attacks based on the vulnerability. It is also possible to decrypt emails with PGP decryption tools separate from email programs.

Ethical Hackers to Boost NHS Cyber Defences

Ethical Hackers to Boost NHS Cyber Defences
The NHS is spending £20m to set up a security operations centre that will oversee the health service’s digital defences. It will employ “ethical hackers” to look for weaknesses in health computer networks, not just react to breaches.

Such hackers use the same tactics seen in cyber-attacks to help organisations spot weak points.

In May, one-third of UK health trusts were hit by the WannaCry worm, which demanded cash to unlock infected PCs.

In a statement, Dan Taylor, head of the data security centre at NHS Digital, said the centre would create and run a “near-real-time monitoring and alerting service that covers the whole health and care system”.

The centre would also help the NHS improve its “ability to anticipate future vulnerabilities while supporting health and care in remediating current known threats”, he said. And operations centre guidance would complement the existing teams the NHS used to defend itself against cyber-threats.

NHS Digital, the IT arm of the health service, has issued an invitation to tender to find a partner to help run the project and advise it about the mix of expertise it required.

Kevin Beaumont, a security vulnerability manager, welcomed the plan to set up the centre. “This is a really positive move,” he told the BBC.

Many private sector organisations already have similar central teams that use threat intelligence and analysis to keep networks secure.

“Having a function like this is essential in modern-day organisations,” Mr Beaumont said. “In an event like WannaCry, the centre could help hospitals know where they are getting infected from in real time, which was a big issue at the time, organisations were unsure how they were being infected”.

In October, the UK’s National Audit Office said NHS trusts had been caught out by the WannaCry worm because they had failed to follow recommended cyber-security policies. The NAO report said NHS trusts had not acted on critical alerts from NHS Digital or on warnings from 2014 that had urged users to patch or migrate away from vulnerable older software.

Imgur Confirms 1.7 Million Users Hit by Data Breach

Imgur Confirms 1.7 Million Users Hit by Data Breach
Image-sharing website Imgur has confirmed that the emails and passwords of 1.7 million users were compromised in 2014. The data breach has only recently come to light after being discovered by security researcher Troy Hunt. Mr Hunt said he was impressed with the company’s swift response.

Imgur said in a statement that no other personal data had been taken as it did not collect information such as real names and phone numbers. “We apologise that this breach occurred and the inconvenience it has caused you,” wrote Roy Sehgal, Imgur’s chief operating officer, in a blog post.

Mr Sehgal said Imgur was “still investigating” but its former encryption method – a hashing algorithm – may have been “cracked with brute force”. That algorithm had been replaced in 2016, he added.

“We recommend that you use a different combination of email and password for every site and application,” he wrote. “Please always use strong passwords and update them frequently.”

Troy Hunt tweeted that Imgur had released a statement 25 hours after he had contacted the company. “This is really where we’re at now: people recognise that data breaches are the new normal and they’re judging organisations not on the fact that they’ve had one but on how they’ve handled it when it’s happened,” he wrote.

This month it was revealed that ride-hailing app Uber had concealed a 2016 data breach affecting 57 million users and drivers. It also admitted to paying the hackers $100,000 (£75,000) to delete the stolen data. “None of this should have happened,” said chief executive Dara Khosrowshahi.

‘Bad Rabbit’ Ransomware Strikes Ukraine & Russia

‘Bad Rabbit’ Ransomware Strikes Ukraine & Russia
A new strain of ransomware nicknamed “Bad Rabbit” has been found spreading in Russia, Ukraine and elsewhere. The malware has affected systems at three Russian websites, an airport in Ukraine and an underground railway in the capital city, Kiev.

The cyber-police chief in Ukraine confirmed to the Reuters news agency that Bad Rabbit was the ransomware in question. It bears similarities to the WannaCry and Petya outbreaks earlier this year. However, it is not yet known how far this new malware will be able to spread.

“In some of the companies, the work has been completely paralysed – servers and workstations are encrypted,” head of Russian cyber-security firm Group-IB, Ilya Sachkov, told the TASS news agency.

Two of the affected sites are Interfax and Fontanka.ru.

Meanwhile, US officials said they had “received multiple reports of Bad Rabbit ransomware infections in many countries around the world”.

The US computer emergency readiness team said it “discourages individuals and organisations from paying the ransom, as this does not guarantee that access will be restored”.

“According to our data, most of the victims targeted by these attacks are located in Russia,” said Vyacheslav Zakorzhevsky at Kaspersky Lab. “We have also seen similar but fewer attacks in Ukraine, Turkey and Germany.”

Bad Rabbit encrypts the contents of a computer and asks for a payment – in this case 0.05 bitcoins, or about $280 (£213).

Cyber-security firms, including Russia-based Kaspersky, have said they are monitoring the attack.

The malware is still undetected by the majority of anti-virus programs, according to analysis by virus checking site Virus Total.

One security firm, Eset, has said that the malware was distributed via a bogus Adobe Flash update.

Researcher Kevin Beaumont has posted a screenshot that shows Bad Rabbit creating tasks in Windows named after the dragons Drogon and Rhaegal in TV series Game of Thrones.

The outbreak bears similarities to the WannaCry and Petya ransomware outbreaks that spread around the world causing widespread disruption earlier this year.

UK to Increase National Cyber Defence Grid

UK to Increase National Cyber Defence Grid
Automatic defences to stop hackers hijacking websites or spoofing official domains will get a boost from a £1.9bn government cybersecurity strategy. Chancellor Philip Hammond will give details of the plans in a speech later.  Other defences that intercept booby-trapped emails or shut down thieves impersonating bank websites will also be expanded. The strategy will also help enlarge specialist police units that tackle organised online gangs. Some cash will go towards education and training of cybersecurity experts.

cybersecurity

Mr Hammond is expected to formally launch the scheme, called the National Cyber Security Strategy, on Tuesday. The speech coincides with a warning from MI5 that Russia poses an increased cyber-threat.

“It is using its whole range of state organs and powers to push its foreign policy abroad in increasingly aggressive ways – involving propaganda, espionage, subversion and cyberattacks,” Andrew Parker, the domestic security agency’s director general told the Guardian.

The National Cyber Security Strategy will set out action needed to protect the UK economy and the privacy of British citizens, and will also encourage industry to ramp up efforts to prevent cyber-attacks.

Mr Hammond said Britain “must now keep up with the scale and pace of the threats we face. Our new strategy… will allow us to take even greater steps to defend ourselves in cyberspace and to strike back when we are attacked,” he added.

Ben Gummer, paymaster general, said in a statement: “No longer the stuff of spy thrillers and action movies, cyber-attacks are a reality and they are happening now. Our adversaries are varied – organised criminal groups, ‘hacktivists’, untrained teenagers and foreign states.”

The £1.9bn to pay for the national strategy was allocated last year and will fund the programme until the end of 2020.  In its strategy, the government explained what some of the money has been spent on already.

With the aid of industry, it has set up automated systems that limit how much malware and spam reaches UK citizens. Other projects have helped the government verify where emails come from to thwart specific tax fraud campaigns aimed at the UK.

Future spending plans involved cash for recruiting more than 50 specialists who will work at the cybercrime unit at the National Crime Agency. These will help tackle organised gangs and aim to raise the cost of engaging in hi-tech crime to make it much less attractive.

The cyber-plan will also involve the creation of a Cyber Security Research Institute that aims to unite researchers across the UK’s universities to work together on improving defences for smartphones, laptops and tablets.

Security-based start-ups will also get help via an innovation fund that will commercialise work on novel tools and defences.

A national scheme will also be set up to retrain “high-aptitude professionals” as cybersecurity experts.

Prof Alan Woodward, a computer security expert from the University of Surrey, said he hoped the government spent cash on the “high volume, low sophistication attacks” that plague people and cause the majority of financial losses. “I hope the £1.9bn will be spent in growing talent,” he said. “The government talk about 50 recruits here and 50 there. I’m afraid we need many more.”

Prof Woodward said it was getting “increasingly difficult” to persuade young people to study computer science and getting them to try cybersecurity was a real headache. “I would really like to see money put into reaching young people early enough to influence the subjects they decide upon at school and pairing an image for them of just how interesting and rewarding a career in cybersecurity can be,” he said.

Vince Cable Warns of Risks at Cyber Security Summit

Vince Cable Warns of Risks at Cyber Security Summit
Vince Cable has warned of the vulnerability of Britain’s essential services to cyber-attack at a summit of regulators and intelligence chiefs. The business secretary told the meeting – the first of its kind – more needed to be done to protect IT systems from attacks by criminals and terrorists. He said there was a growing threat of disruption to “everyday life”.

Banks, gas distribution, rail signalling and mobile networks were particularly vulnerable, he added. All of these systems, and others, depended on “having efficient, non-disruptive cyber systems operating and they are becoming more sophisticated,” Mr Cable told the meeting. “The pressure from consumers is to make it more sophisticated and with that comes vulnerabilities and the need to address those vulnerabilities,” he added.

He cited examples of “the kind of damage that can be done”, such as a 2012 cyber attack on Saudi Arabia’s national oil company, which shut down 30,000 of its computers, and a series of cyber attacks on US banks.

He added: “It is particularly important that those industries providing essential services such as power, telecommunications and banking are adequately protected to avoid disruption to our everyday lives. “We can only achieve this objective through a partnership between government, the regulators and industry.” “Today’s event marks the next step in highlighting the important role of the regulators in overseeing the adoption of robust cyber security measures by the companies that supply these crucial services.”

The regulators, which included representatives from the Bank of England, Civil Aviation Authority, Office of the Nuclear Regulator, Ofgem, Ofwat and Ofcom, were briefed on the threat posed to systems by Sir Ian Lobban, the head of the government’s secret listening post GCHQ.

In a joint comminique, the government and regulators pledged:

More exercises to test procedures and resilience The adoption of security standards and measuring progress against GCHQ’s 10 Steps to Improve Cyber Security plan More information sharing across different industry sectors on how to combat the cyber threat It comes as the Bank of England published a report on Waking Shark 2, an exercise carried out last year to test the UK banking industry’s response to a cyber-attack by a hostile nation.

More than 200 representatives from the major banks, financial regulators, the Treasury and infrastructure providers took part in the four-hour exercise, which was meant to test how they would cope with a major disruption to their computer systems.

The exercise was “desk-based” and did not involve the shutting down of actual systems – but was instead meant to find out how the different banks and agencies would work together to mitigate the impact of a cyber-attack that had shut down their websites and disrupted market data.

The Bank’s report on the exercise recommends nominating a single body to coordinate communications across the industry during an incident and urges banks to report major attacks to the regulators as soon as possible. It also reminds banks to report cyber attacks to the police.

Deputy Bank of England governor Andrew Bailey, who is chief executive of the Prudential Regulation Authority, said: “It is essential for financial stability that the UK financial system and its infrastructure continues to work towards improving its ability to withstand cyber-attacks.”