All The Latest CyberNews..

Cybersecurity news stories that we found interesting and/or thought-provoking.


CyberNews – Biggest Incidents of 2017


Let this recap of 2017’s biggest cyber-incidents so far serve as a reminder of just how chaotic things have already gotten.

 

Equifax

Equifax, one of the three major credit reporting agencies, handles the data of 820 million consumers and more than 91 million businesses worldwide. Between May and July of this year 143 million people in the U.S. may have had their names, Social Security numbers, birth dates, addresses and even driver’s license numbers accessed. In addition, the hack compromised 209,000 people’s credit card numbers and personal dispute details for another 182,000 people. What bad actors could do with that information is daunting.

This data breach is more confusing than others — like when Yahoo or Target were hacked, for example — according to Joel Winston, a former deputy attorney general for New Jersey , whose current law practice focuses on consumer rights litigation, information privacy, and data protection law.

While other companies have scrambled to retain loyalty after consumer data has been compromised, the Equifax breach is different, says Winston, because we — the consumers — are not its customers.

“We are the product,” he says. “Us and our data is what Equifax is selling to other people and companies, and they are scrambling to keep their customers, without much regard for actual consumers.”

And while other breaches may have exposed credit card numbers or Social Security numbers, the information Equifax has — on almost all of us — is much more extensive, which makes us all feel very vulnerable.

Shadow BrokersThe mysterious hacking group known as the Shadow Brokers first surfaced in August 2016, claiming to have breached the spy tools of the elite NSA-linked operation known as the Equation Group. The Shadow Brokers offered a sample of alleged stolen NSA data and attempted to auction off a bigger trove, following up with leaks for Halloween and Black Friday in 2016.This April, though, marked the group’s most impactful release yet. It included a trove of particularly significant alleged NSA tools, including a Windows exploit known as EternalBlue, which hackers have since used to infect targets in two high-profile ransomware attacks (see below).The identity of the Shadow Brokers is still unknown, but the group’s leaks have revived debates about the danger of using bugs in commercial products for intelligence-gathering. Agencies keep these flaws to themselves, instead of notifying the company that makes the software so the vendor can patch the vulnerabilities and protect its customers. If these tools get out, they potentially endanger billions of software users.

WannaCry

On May 12 a strain of ransomware called WannaCry spread around the world, walloping hundreds of thousands of targets, including public utilities and large corporations. Notably, the ransomware temporarily crippled National Health Service hospitals and facilities in the United Kingdom, hobbling emergency rooms, delaying vital medical procedures, and creating chaos for many British patients.

Though powerful, the ransomware also had significant flaws, including a mechanism that security experts effectively used as a kill switch to render the malware inert and stem its spread. US officials later concluded with “moderate confidence” that the ransomware was a North Korean government project gone awry that had been intended to raise revenue while wreaking havoc. In total, WannaCry netted almost 52 bitcoins, or about $130,000—not much for such viral ransomware.

WannaCry’s reach came in part thanks to one of the leaked Shadow Brokers Windows vulnerabilities, EternalBlue. Microsoft had released the MS17-010 patch for the bug in March, but many institutions hadn’t applied it and were therefore vulnerable to WannaCry infection.

Petya/NotPetya/Nyetya/Goldeneye

A month or so after WannaCry, another wave of ransomware infections that partially leveraged Shadow Brokers Windows exploits hit targets worldwide. This malware, called Petya, NotPetya and a few other names, was more advanced than WannaCry in many ways, but still had some flaws, like an ineffective and inefficient payment system.

Though it infected networks in multiple countries—like the US pharmaceutical company Merck, Danish shipping company Maersk, and Russian oil giant Rosnoft—researchers suspect that the ransomware actually masked a targeted cyberattack against Ukraine. The ransomware hit Ukrainian infrastructure particularly hard, disrupting utilities like power companies, airports, public transit, and the central bank, just the latest in a series of cyber assaults against the country.

Wikileaks CIA Vault 7

On March 7, WikiLeaks published a data trove containing 8,761 documents allegedly stolen from the CIA that contained extensive documentation of alleged spying operations and hacking tools. Revelations included iOS and Android vulnerabilities, bugs in Windows, and the ability to turn some smart TVs into listening devices.

Wikileaks called the dump “Vault 7,” and the organization has followed the initial release with frequent, smaller disclosures. These revelations have detailed individual tools for things like using Wi-Fi signals to track a device’s location, and persistently surveilling Macs by controlling the fundamental layer of code that coordinates hardware and software.

WikiLeaks claims that Vault 7 reveals “the majority of [the CIA] hacking arsenal including malware, viruses, trojans, weaponized ‘zero day’ exploits, malware remote control systems and associated documentation.” It is unclear, though, what proportion of the CIA toolbox the disclosures actually represent. Assuming the tools are legitimate, experts agree that the leaks could cause major problems for the CIA, both in terms of how the agency is viewed by the public and in its operational abilities. And as with the Shadow Brokers releases, Vault 7 has led to heated debate about the problems and risks inherent in government development of digital spy tools.

Cloudbleed

In February, the internet infrastructure company Cloudflare announced that a bug in its platform caused random leakage of potentially sensitive customer data. Cloudflare offers performance and security services to about six million customer websites (including heavy hitters like Fitbit and OKCupid), so though the leaks were infrequent and only involved small snippets of data, they drew from an enormous pool of information.

Google vulnerability researcher Tavis Ormandy discovered the problem on February 17, and Cloudflare patched the bug within hours, but the data leakage could have started as early as September 22, 2016. Leaked data was only deposited on a small subset of Cloudflare customer sites, and usually it wasn’t visible on the pages themselves. Search engines like Google and Bing that crawl the web, though, automatically cached the errant data—everything from gibberish to users’ Uber account passwords and even some of Cloudflare’s own internal cryptography keys—making it all easily accessible through search.

Cloudflare worked with search engines ahead of and after the announcement to remove the leaked data from caches, and experts noted that it was unlikely that hackers used the data malevolently; the random leaks would have been difficult to weaponize or monetize efficiently. But any exposed sensitive data creates risks. The incident was also significant as a reminder of how much rides on large internet infrastructure and optimization services like Cloudflare. Using one of these services makes sites much more robust and secure than they probably would be on average if owners attempted to build defenses themselves. The tradeoff, though, is a single point of failure. A bug or a damaging attack affecting a company like Cloudflare can impact, and potentially endanger, a significant portion of the web.

198 Million Voter Records Exposed

Unfortunately, it’s not uncommon to hear that a trove of voter data was breached or exposed somewhere in the world. But on June 19, researcher Chris Vickery announced a discovery that would give even the most jaded security expert pause. He had discovered a publicly accessible database that contained personal information for 198 million US voters—possibly every American voter going back more than 10 years.

The conservative data firm Deep Root Analytics hosted the database on an Amazon S3 server. The group had misconfigured it, though, such that some data on the server was protected, but more than a terabyte of voter information was publicly accessible to anyone on the web. Misconfiguration isn’t a malicious hack in itself, but it is a critical and all-too-common cybersecurity risk for both institutions and individuals. In this case, Deep Root Analytics said that the voter data, though publicly exposed, was not accessed by anyone besides Vickery—but it’s always possible that someone else discovered it, too. And though a lot of voter information is readily available anyway (names, addresses, etc.), Deep Root Analytics specializes in compiling revealing data, so being able to access so much pre-aggregated information would be a boon to a cyber criminal.

Macron Campaign Hack

Two days before France’s presidential runoff in May, hackers dumped a 9GB trove of leaked emails from the party of left-leaning front-runner (now French president) Emmanuel Macron. The leak seemed orchestrated to give Macron minimal time and ability to respond, since French presidential candidates are barred from speaking publicly beginning two days before an election. But the Macron campaign did release statements confirming that the En Marche! party had been breached, while cautioning that not everything in the data dump was legitimate.

The attack was less strategic and explosive than the WikiLeaks releases of pilfered DNC emails that dogged Hillary Clinton’s presidential campaign in the US, but Macron also had the advantage of observing what had happened in the US and preparing for potential assaults. Researchers did find evidence that the Russian-government-linked hacker group Fancy Bear attempted to target the Macron campaign in March.

After the email leak heading into the election, the Macron campaign said in a statement, “Intervening in the last hour of an official campaign, this operation clearly seeks to destabilize democracy, as already seen in the United States’ last president campaign. We cannot tolerate that the vital interests of democracy are thus endangered.”


CyberNews – September 2017



CyberNews – August 2017


Individuals at Risk

Cyber Update

Google Patches 10 Critical Bugs in August Android Security Bulletin: Google patched 10 critical remote code execution bugs in its August Android Security Bulletin issued Monday. ThreatPost, August 8, 2017

Mozilla Fixes 29 Vulnerabilities in Firefox, Makes Flash Click-To-Activate: Mozilla fixed three critical vulnerabilities when it released Firefox 55 on Tuesday, including bugs that could have triggered a crash of the browser and allowed for the execution of arbitrary code. ThreatPost, August 9, 2017

Critical Security Fixes from Adobe, Microsoft: Adobe has released updates to fix dozens of vulnerabilities in its Acrobat, Reader and Flash Player software. KrebsOnSecurity, August 8, 2017


Cyber Defense

Five Cybersecurity Tips for Your Summer Vacation: Whether you’re hitting the same old beach town or taking a cycling tour of Provence, follow these Top Five steps to stay cyber secure while soaking up the sun. ITSP Magazine


Information Security Management in the Organization

Information Security Management and Governance

Culture Change Metaphor: Teach everyone to avoid a hot stove and you have no-cost burn care: It’s ironic: when global threats are in the news every day, their ubiquity makes them easy to ignore.” Robert Braun, co-chair of the Cybersecurity and Privacy Law Group, Jeffer Mangels Butler & Mitchell and SecureTheVillage Leadership Council. Cyber Security Lawyer Forum, August 3, 2017

New analysis shows cyber-breach has large impact on stock price: When it comes to thinking about cyber-attacks, many of the folks running businesses are relying on a heavy combination of faith (“it won’t happen to us”), reliance on cyber-insurance (“any losses will be covered”), and the unfounded belief that the long-term consequences won’t be that bad (“if it does happen, we’ll be back in business in no time”). ITSP Magazine, August 7, 2017

Data Breach Cost Calculator – IBM Security & Ponemon Institute: Companies face the constant, rising threat of data breaches each year. However, the cost of a data breach differs for every organization. How much would it cost yours? IBM Security, 2017


Cyber Awareness

Social cybersecurity: Influence people, make friends and keep them safe: Jason Hong talks about Carnegie Mellon’s work in social cybersecurity, a new discipline that uses techniques from social psychology to improve our ability to be secure online. Tech Target, August 2017


Cyber Warning

IRS Warns Tax Preparers of Fake Software Update Scheme that Steals Passwords: Just in time for the seasonal upgrading of tax software, the IRS is warning of phishing emails that try to trick tax professionals into downloading software updates, but in fact steer victims into divulging login credentials. BankInfoSecuirty, August 9, 2017


Cyber Defense

Assessing Risks and Remediating Threats With a Layered Approach to Vulnerability Management: Companies need to do more than just scan for known problems and provide huge vulnerability reports to system and network administrators for remediation. Security Intelligence, August 9, 2017

Most of what we know about passwords is wrong, and how businesses should respond: Bill Burr, who wrote the guidelines for modern password standards, claims that he gave the wrong advice on how people should go about creating passwords. TechRepublic, August 9, 2017

10 bad habits cybersecurity professionals must break: Cybersecurity workers face many challenges on the job. Here are 10 bad habits they must avoid in order to be most effective. TechRepublic, August 10, 2017

Beware of Security by Press Release: The DirectDefense – Carbon Black Brouhaha: On Wednesday, the security industry once again witnessed an all-too-familiar cycle: I call it “security by press release.” KrebsOnSecurity, August 10, 2017

“White Hat” Hackers: Privileged Accounts Provide Fastest Access to Sensitive, Critical Data:Nearly 75 percent state traditional perimeter security firewalls and antivirus are now irrelevant or obsolete. DarkReading, August 9, 2017

Protecting Personal Information: A Practical Guide for Business – FTC: Most companies keep sensitive personal information in their files—names, Social Security numbers, credit card, or other account data—that identifies customers or employees. Federal Trade Commission


Cyber Law

Nationwide Insurance Breach Settlement Agreement: $5.5 million & stronger security management practices: Nationwide Mutual Insurance Co. will pay a $5.5 million settlement and update its security practices as a result of an agreement with attorneys general in 32 states and the District of Columbia in the wake of a 2012 data breach affecting more than 1.2 million individuals. BankInfoSecurity, August 9, 2017


Cyber Talent

Majority of MSPs struggle to find enough cybersecurity pros to hire: Two out of three managed service providers (MSPs) suffer from a shortage of qualified cybersecurity staff—leading to challenges keeping customers safe from ransomware attacks, according to a report from Kaspersky Lab, released Wednesday. TechRepublic, August 10, 2017

Five strategies to address the cybersecurity skills shortage: The ability to detect and respond to threats is greatly impeded by a lack of cybersecurity skills and staff. CSO, August 10, 2017


Cyber Security in Society

HBO Cyber Attack

Game of Thrones stars’ personal details leaked as HBO hackers demand ransom: Hackers of US television network HBO have released personal phone numbers of Game of Thrones actors, emails and scripts in the latest dump of data stolen from the company, and are demanding a multimillion-dollar ransom to prevent the release of whole TV shows and further emails. The Guardian, August 8, 2017

Watch the ransom video hackers sent to HBO (set to Game of Thrones music): HBO is at the center of a massive cyberattack putting 1.5 terabytes of valuable intellectual property and private information at risk. Mashable, August 9, 2017

HBO Hackers Leak Email From Network That Offers Them $250,000: The email dated July 27 indicates a negotiation between the network and the hackers. Hollywood Reporter, August 10, 2017


Know Your Enemy

Hackers & Pirate Websites Conspire In Malware Extortion Schemes: Hackers have become an inescapable part of the Hollywood narrative, on and off the screen. Deadline, August 8, 2017

Russia’s ‘Fancy Bear’ Hackers Used Leaked NSA Tool to Target Hotel Guests: Since as early as last fall, the Russian hacker group known as APT28, or Fancy Bear, has targeted victims via their connections to hacked hotel Wi-Fi networks, according to a new report from security firm FireEye, which has closely tracked the group’s intrusions, including its breach of the Democratic National Committee ahead of last year’s election. Wired, August 11, 2017


Cyber Freedom

Voting Machine “White-Hat” Hackers Have 5 Tips to Save the Next Election: American Democracy depends on the sanctity of the vote. Wired, August 6, 2017


National Cyber Security

A Vulnerable Castle in Cyberspace … Embracing the ‘information warfare’ mindset: The topic of cybersecurity seems to affect just about everything these days. US News, August 11, 2017


Financial Cyber Security

Uptick in Malware Targets the Banking Community: A number of recent attacks, using tactics old and new, have made off with an astonishing amount of money. DarkReading, August 9, 2017


Cyber Medical

DHS Warning: Vulnerabilities Found in Some Siemens Medical Imaging Devices Open Door to Hackers: The Department of Homeland Security has issued an alert warning about cyber vulnerabilities in certain Siemens medical imaging products running Windows 7 that could enable hackers to “remotely execute arbitrary code.” BankInfoSecurity, August 8, 2017


Cyber Sunshine

Alleged sextortionist caught after FBI plants malware on video of victim: A Bakersfield, Calif. man who allegedly tried to extort pornographic video footage from underage victims was tracked down and apprehended after investigators secretly hid malware on a digital video file sent from the intended victim’s computer, according to a criminal complaint filed in Indiana. SC Media, August 10, 2017

Alleged vDOS Operators Arrested, Charged — Krebs on Security: Two young Israeli men alleged by this author to have co-founded vDOS — until recently the largest and most profitable cyber attack-for-hire service online — were arrested and formally indicted this week in Israel on conspiracy and hacking charges. KrebsOnSecurity, August 09, 2017


 SecureTheVillage Calendar

SecureTheVillage: San Fernando Valley-East (Pasadena / Glendale) Cybersecurity Roundtable: SecureTheVillage and Citadel President Stan Stahl will speak on High-Performance Information Security Management & Leadership Teams. August 17, 2017, 7:30 -10AM. Datastream, Glendale.

National Assn of Corporate Directors — Southern California Chapter: Join SecureTheVillage and Citadel President Stan Stahl, the National Cyber Forensics Training Alliance (NCFTA) CEO and former secret service agent Matt Lavigna, Apria Healthcare’s CISO Jerry Sto. Thomasand former SaaS CEO and PwC Partner, Bob Zukis. Learn about Southern California’s unique risks and local efforts to fight cybercrime. September 6, Noon Luncheon, California Club.

PIHRA: Information Security Awareness: The Cyber Tsunami!: Citadel’s Kimberly Pease will facilitate a discussion of (i) steps to take to protect a company’s information from hackers and cyber criminals; (ii)tips to protect yourselves as consumers; (iii) understanding who the criminals are and why you are a target; (iv) real stories and scary examples that could happen to you. September 20, 7:30 – 9:30, The City Club

SecureTheVillage: Financial Services Cybersecurity Roundtable: The Financial Services Cybersecurity Roundtable is a cross-organizational, cross-functional “learning community” committed to working together to better protect our community from bank fraud, credit card theft, identity theft and other forms of cyber crime. September 22, 7:30 – 10:00, Grandpoint Bank

SecureTheVillage: San Fernando Valley-East (Pasadena / Glendale) Cybersecurity Roundtable: The San Fernando Valley-East (Pasadena / Glendale) Cybersecurity Roundtable is designed to support communication and collaboration between C-Suite executives, IT managers, and cybersecurity experts. The San Fernando Valley-East Roundtable is intended for both for-profit and nonprofit organizations. The Roundtable functions as a cross-organizational “learning community” committed to working together to better protect our community from cybercrime. September 28, 7:30 -10AM. Datastream, Glendale.

Glendale Tech Week: SecureTheVillage and Citadel President Stan Stahl will join Louie Sadd, Datastream Managing Partner and SecureTheVillage Leadership Council member, and other cybersecurity panelists. October 12, 10:00 – 11:00, Glendale Central Library.

SecureTheVillage: Cybersecure Los Angeles 2017 — Get Cyber Prepared: SecureTheVillage joins UCLA Extension for its first cybersecurity conference. Learn from leading information security professionals and law enforcement, including: information security providers, cyber-insurance, financial services, law, the FBI, LA County District Attorney’s Office, and more. Leave with SecureTheVillage’s Information Security Management and Leadership ResourceKit: A practical guide for implementing an information security management and leadership program in your organization. October 19, 9:00 – 2:00, UCLA Extension, Figueroa Courtyard

That’s about it for now.