Cyber Risk News
Two-fifths (39%) of global companies have suffered a major mobile security compromise over the past year, many of them via IoT devices, according to a new report from Verizon.
The vendor’s Mobile Security Index report for 2020 is compiled from interviews with 876 professionals responsible for buying, managing and securing connected devices, as well as information from partner organizations including the FBI.
The percentage of organizations that suffered a compromise — a successful attack resulting in “a system’s defenses being rendered ineffective” — rose from 27% in 2018. The result was mainly downtime (59%), loss of data (56%) and compromise of other devices (46%).
Over half (55%) of those suffering a major impact from such a compromise said the repercussions were lasting.
IoT deployments are on the rise, but 31% of these respondents admitted they’d suffered a compromise.
This is concerning as 84% use such devices to gather personal data and a quarter don’t anonymize it. Some 41% of respondents claimed the IoT data they gather is “extremely valuable” and 39% said that it is “quite valuable.”
Elsewhere, unsecured Wi-Fi hotspots remain a major source of cybersecurity risk: 20% of organizations that suffered a mobile compromise claimed that one was involved.
Phishing is also a major threat, but on mobile devices, just a small percentage (15%) of attacks come via email. Many more (85%) take place via messaging, productivity, gaming and other apps.
Although the figure has dropped slightly from last year, over two-fifths (43%) of organizations said that they have sacrificed mobile security in the past to “get the job done.” Expediency (62%), convenience (52%) and profitability targets (46%) were the top reasons.
Bryan Sartin, executive director, global security services at Verizon, argued that with many firms relying on mobile devices to run day-to-day operations, security should be a priority.
“The types of devices, diverse applications and further emergence of IoT devices further complicate security. Everyone has to be deliberate and diligent about mobile security to protect themselves and their customers,” he added.
Stay up-to-date with the latest information security trends and topics by registering for Infosecurity Magazine’s next Online Summit. Find out more here.
A new survey from SANS has revealed that almost 50% of organizations have a team dedicated to cyber-threat intelligence (CTI).
In its 2020 SANS Cyber Threat Intelligence Survey, the education and training provider received 1006 responses from a wide-ranging group of security professionals from various organizations. It discovered that, in many cases, CTI has evolved from small, ad hoc tasks performed disparately across businesses to robust programs with dedicated staff, tools and processes. In fact, more than 84% of respondents said their organization has at least some kind of resource focusing on CTI, with 44% reporting a formal process for gathering intelligence requirements, which makes intelligence processes more efficient, effective and measurable.
“In the past three years, we have seen an increase in the percentage of respondents choosing to have a dedicated team over a single individual responsible for the entire CTI program,” said survey author and SANS instructor Robert M Lee.
“Collaboration within organizations is also on the rise,” he added, “with many respondents reporting that their CTI teams are part of a coordinated effort across the organization.”
However, there are inhibitors that hold some businesses back from implementing effective CTI, the research showed. A lack of trained staff was cited by 57% of those polled, whilst 52% and 48% (respectively) said a lack of time to implement new processes and a lack of funding also played a part.
French sporting retail giant Decathlon has become the latest big brand to expose user data via a misconfigured database, leaking over 123 million records including customer and employee information, according to researchers.
A team at vpnMentor uncovered the 9GB database on an unsecured Elasticsearch server. It contained information from Decathlon’s Spanish, and potentially also its UK, businesses.
“The leaked Decathlon Spain database contains a veritable treasure trove of employee data and more. It has everything that a malicious hacker would, in theory, need to use to take over accounts and gain access to private and even proprietary information,” said vpnMentor.
Leaked data included employee usernames, unencrypted passwords and personally identifiable information (PII) including social security numbers, full names, addresses, mobile phone numbers, addresses and birth dates.
The leaked data also featured customer email and log-in information, all unencrypted.
The vpnMentor team claimed that cyber-criminals could: use administrator log-ins to conduct corporate espionage, bombard customers and employees with convincing phishing emails and use PII to engage in identity fraud.
It even argued that some employees could be in physical danger.
“Employees’ positions and work locations are spread throughout this database, as well as their own physical home addresses,” the report noted. “This could lead to disgruntled former co-workers or irate customers tracking them down and threatening their physical safety and well-being.”
Decathlon is claiming that, despite the large number of records contained in the database, only a small percentage relates to actual users.
The unsecured database was discovered on February 12, with the company notified four days later. It took action almost immediately, closing down public access to the database on February 17.
Decathlon joins a long line of organizations whose cloud security configurations have been found wanting. Already in 2020, vpnMentor has uncovered a leak of 30,000 records linked to US cannabis users, and thousands of UK business professionals who were exposed via a London-based consultancy.
A popular producer of smartphone skins has suffered a major data breach, compromising the personal details of over 857,000 customers.
Slickwraps issued a breach notification to customers last Friday, claiming that data in “some of our non-production databases was mistakenly made public via an exploit,” and then accessed by an unauthorized third party.
In fact, what appears to have happened is that a security researcher going by the moniker “Lynx” on Twitter discovered a vulnerability in the Slickwraps website and then publicly disclosed it to the firm via the social media site, before writing up the findings in a Medium post. Both have since been deleted.
Before the firm had time to respond, it seems that hackers stepped in to exploit the bug and access the customer data, according to Android Police. They subsequently emailed users to inform them their data was now compromised.
According to notification site HaveIBeenPwned?, 857,611 unique email addresses were compromised in the breach, belonging to customers and newsletter subscribers. Also included were names, physical addresses, phone numbers and purchase histories.
Slickwraps assured users that if they checked out as “guest” their details are safe. It added that no passwords or financial data were stolen, but recommended customers change their passwords anyway out of precaution.
Jake Moore, cybersecurity specialist at ESET, warned that hackers can still do a lot of damage, even with a list of emails and names.
“The biggest risk is via brute force attacking the accounts, where criminals use leaked common password combinations against the emails to try and break into other personal accounts. A large number of people still use predictable or simple passwords,” he explained.
“Together with recent high-profile breaches, many people's passwords are also readily available on the dark web, so it quickly becomes just a simple exercise for cyber-criminals to join the dots. The threat this poses is then increased, as many people use the same passwords across multiple accounts.”
At BSides San Francisco, Bryan Zimmer, head of security at Humu, delivered a talk on how to create a security program and develop a security-centric culture as the organization’s first security hire.
“So you’re the first security hire,” began Zimmer. “You’re going to need social skills.” Zimmer advised that being humble and building relationships with key stakeholders, department heads, and various teams around the organization is critical to getting ahead as a security leader. “It’s not just about tech and tools,” he said. “It’s about security culture.”
Zimmer suggested that being approachable and thankful and parking the jargon will all contribute to your success as a communicator. “Collaborate, don’t dictate,” he said. Additionally, social skills will get you executive buy-in early, which is very important in terms of securing budget and making a name for yourself. “Identify the major stakeholders and engage one on one with them.
“Ask for feedback, have empathy, and always send the elevator back down,” continued Zimmer, explaining it means “using your power to help others below you. Find and hire minorities, invite graduates to industry events, offer career advice.”
Zimmer noted that one of the most important things to establish when starting out in the role is the organization’s priorities and strategy. “Find out what matters most to the business, determine what needs protecting and what it considers to be its crown jewels. Ask about budgets and time frames and goals. You need to establish if the company is just ticking a box or whether it deeply cares about security.” But, importantly, added Zimmer, “Protect customer data, because it’s the right thing to do.”
Next up, he advised, “find out what laws you have to comply with and establish policies and frameworks in line with these.” His advice is to “outsource as much of the compliance stuff as you can.”The session was summarized with these visual notes, by Kingman Ink
Finding out what level of risk the business is comfortable with establishing should also be at the top of a security leader’s agenda, Zimmer said. “Find out where your data is and where it is going and turn on whitelisting from the beginning. Take an inventory of your applications and integrations and create a basic risk spreadsheet.” Further, he advised digesting and using threat report data.
Zimmer is a big proponent of simplification. That includes language. “Speak English, not techie,” he said. “Technical language alienates people, and they won’t want to talk to you again, so always tailor your level of techie to your audience. Be friendly, say hello to people, increase your visibility in the business, and collaborate with different departments.”
Zimmer believes it’s a security leader’s job to set the culture, not just the technology. “Set principles of transparency and tell people what you’re doing, assure them and build a rapport with staff.” Giving employees tools and the education to use them makes staff self-reliant, he said, which is good because “you can’t possibly be involved in every single security decision.”
People hate hearing no, said Zimmer, so “don’t hold up business unless it’s critical. Always assume good intent, people are just trying to get their job done, and that will make you wanted, not feared.”
Create a positive security culture by avoiding complex policies and procedures, he advised. Security training too, he added, should not be complicated. “Don’t over-communicate, because people will ignore it after a while.” Zimmer shared examples of awareness campaigns he used in his last role at Netflix, using humor and cute animal photos to attract attention. “The head of legal loved the hedgehog poster,” he recalled. “Security is a dry topic, so be creative and make it fun.”
Finally, he gave a nod to physical security. “Who else will do it?” he said, suggesting this may fall into the security leader’s remit for the first year or two. “Consider authentication, access control, and monitoring,” he concluded.
#BsidesSF: Keynote: Slack CISO Reflects on a Decade of Mayhem and Gives Checklist Advice in Its Wake
Ryder broke down her observations on the past ten years of cybersecurity into the following notable categories: malware, data breaches, vulnerabilities, and privacy. “Over the past decade, malware went critical,” she observed, calling out Stuxnet, WannaCry, and NotPetya as the most notable.
Her journey of reflection then moved on to data breaches, of which she called Yahoo! “one of my favorite breaches” due to the story of prosecution and conviction. She then referenced the Adult Friend Finder and Ashley Madison breaches as breaches with a different motive. “These breaches were about hackers making a moral judgement, and [the abstraction of] a different type of very personal information,” she noted. “Then there was Target,” which brought to light vendor risk management and made it a critical issue. “We need to establish trust with all our vendors because vendor risk management is so much more critical now than it was in 2010.”
The last decade, said Ryder, saw “vulnerabilities earning names.” The most notorious of those names were Heartbleed (2014), Meltdown and Spectre (2018), and EternalBlue (2017).
Taking the decade of malware, data breaches, and vulnerabilities into account, Ryder considered the impact it has had and what has changed as a result. Interest and awareness about cybersecurity is perhaps the biggest consequence, she said. In the Global Risks Report 2020, cybersecurity featured twice in the list of top 10 global risks: Cyberattacks on infrastructure came in at number five, and cyber-attacks involving theft of money or data came in at number eight.In the "Global Risks Report 2020," cybersecurity featured twice in the list of top 10 global risks
The past decade has also witnessed evolution in the way that information security professionals do their jobs, with cloud, privacy, and the proliferation of mobile devices responsible for the biggest changes.
On the topic of privacy, Ryder cited privacy regulation as one of the “good things to happen in the past decade.” Privacy regulation, she said, referencing GDPR and the CCPA, has been “both significant and positive.”
“I don’t make predictions, but if I did, these are the trends I would expect to see next,” said Ryder, somewhat ironically. “The Internet of Things will go viral, malware will learn by machine, and SCADA will come crashing down,” she predicted.
Checklists and Advice
Ryder compiled a list that she referred to as a “Checklist of the impossible.” It includes advice that she considers sensible, yet admits that she knows is near to impossible to follow:
- Stay patched.
- Don’t click on (suspicious) links.
- Never open untrusted email attachments.
- Do not download from untrusted websites.
The following checklist items, she said, are “less impossible” to follow:
- Avoid inserting unknown USBs.
- Use VPN over public Wi-fi.
- Back up your data.
In light of how difficult this checklist might be, Ryder has formed another list of advice, which she considers “simplified advice that is essential for all new users that you are on-boarding”:
- If you see something, say something (trust your instincts and report anything that seems worrying or out of the ordinary).
- Use what I gave you (don’t sign up for or download anything unauthorized).
- Customer data is off limits.
- If you don’t understand why I’m creating this friction for you, ask me (I can rationalize or explain why certain rules are in place).
Ryder referred to the “infinite bag of risk” that she and her peers face. It can feel overwhelming, and it can seem insurmountable, but “the key is not to try and boil the ocean,” she advised. “You have to start somewhere, so work out what normal looks like and bring in a red team to test your security,” she advised.
“Recognize the burden that you are facing and bound your efforts,” and finally, she concluded, “lean on our community to share concerns, worries, and advice at events like these.”
Speaking at the Cloud Security Alliance (CSA) summit at the RSA Conference in San Francisco, Alex Stamos, adjunct professor at Stanford University's Freeman-Spogli Institute, said that issues and decisions made by technology companies have angered people.
Stamos, who previously served as CISO of both Facebook and Yahoo, said that once he stepped out of those roles and “out of constant emergencies” he could see the bigger picture.
He said that “tradeoffs from a policy perspective are poorly understood by the public and usually go back to the engineering adage of do you want it done correctly, cheaply, or quickly—pick 1 of 3.” Stamos said that this is a basic problem of society, as people say that they don’t want companies looking at their data, but to stop bad things happening you need to see bad things. “Politicians say companies have to find the bad guys, but you cannot have two things.”
Another issue Stamos highlighted is the balance that technology companies have for “solving societal ills,” as he pointed out that technology companies provide platforms while “every bad thing [that] happened [was] done by people.”
He said that companies have to “embrace transparency and make decisions in a transparent manner.” However, the line has to be drawn around bullying and harassment, as “nothing has changed since the last election.”
Stamos said that Google, Facebook, and Twitter came up with policies on political advertising “in closed rooms with no transparency,” and these will be the rules that the 2020 election will be fought on.
He recommended that the tech industry adopt a regulatory framework similar to what Germany did regarding what speech is allowed online, but should consider how this can be adopted by countries with reduced democratic freedoms. “Or you end up with tech companies who are happy if they get regulated if they can make money, as most people who use the internet don’t live in democracies, or if they do, it is with reduced free speech.”
Stamos concluded by saying that we “have to realize that technology has made changes in good and bad ways” and take responsibility for that.
Security is both a business and a technical issue, especially as businesses become more digital and have technical controls embedded into software.
Speaking at the Cloud Security Alliance (CSA) summit at the RSA Conference in San Francisco, Phil Venables, board director and a senior advisor for risk and cybersecurity at Goldman Sachs Bank, said that to treat cybersecurity as just a business issue is important, but “to say it is not also a technology issue is a disservice” to those digital businesses.
Venables said there are three ways that cyber can be a business risk:
Enterprise Integration — Make this part of the fabric of business decision making.
- Embed risk considerations into the enterprise governance apparatus.
- Conduct risk assessments and establish a risk appetite.
- Relentlessly integrate risk considerations into all business processes: strategic, capital, people, product.
Technology Integration — Make this a core part of how technology is built and operated, and secure products, not just security products.
- Recognize that basic and relentless controls, hygiene/operational discipline are essential.
- Embed automation/iterative improvement into the heart of tech delivery. Continuously monitor control effectiveness, presence, and operation.
- Strive for ambient controls—in preference to expecting employees/customers to be a significant line of defense
Venables recommended embedding security into your processes, using standards like those created by the CSA, and creating an environment of products that “are not jammed in after the fact.” He said: “Think about embedding control across the life cycle.”
Resilience and Recovery — Plan for failure and constantly exercise and drill.
- Detect early, respond decisively, formalize accountability, and test constantly.
- Limit the blast radius of potential events through business and technology process adjustment.
- Integrate cybersecurity incident response with operational resilience.
Venables said there should be a consideration of how to maximize your response efforts. “Treating security as a first-class risk is about doing the simple things that have to be exercised relentlessly over many years,” he said, saying that security is “not a project that finishes anytime soon” but is a perpetual part of the business DNA.
Looking forward, Venables said there are five areas of focus:
- Software security and reliability
- Usable security and ambient control
- Continuous assurance—continuous monitoring—provable security
- Operational resilience
- Adjacent benefits
He concluded by saying that as many organizations and customers become accidental software developers, we “need to make sure security is baked in.” He said that as users are enabled with tools and controls to increase software reliability, the user experience has to be considered, as it is a part of the supply chain.
Two employees of cybersecurity firm Coalfire who were arrested for an alleged burglary of an Iowa courthouse have had all charges against them dismissed.
Gary Edward Demercurio, of Seattle, Wash., and Justin Lawson Wynn, of Naples, Fla., were arrested in September 2019 after being found inside the Dallas County Courthouse in possession of burglary tools.
The two Colorado company employees were mistaken for criminals while conducting what a Coalfire spokesperson described as "a standard penetration test to protect Iowa citizens" for their client, the State of Iowa, on September 11.
Demercurio and Wynn, who were 43 and 29, respectively, at the time of the arrest, were both charged with felony burglary and the possession of burglary tools, which could have seen them jailed for a total of seven years each.
Following discussions between representatives of Coalfire, the Dallas County Sheriff, and the Dallas County Attorney, the Dallas County Attorney decided to dismiss trespass charges against the duo.
Senior security consultant Wynn said: "It was a red team engagement with physical penetration included as part of it. It wasn't the first physical breach that we did during that assessment. There were multiple facilities that we had already assessed, and it was the last one that we were coming around to.
"They specifically requested that they wanted 'after hours' testing at these locations. The client said they wanted to see how their facilities could be breached and what the security vulnerabilities are that we're working with."
Demercurio said: "The original arrest was supposed to be for trespassing but that changed to felony burglary. From that point, we were arrested and taken to jail. We were there for about 24 hours."
Wynn said that bail was set at $50,000 each for both him and Demercurio after the local prosecutor deemed them "a flight risk." The standard rate at which bail is set in Iowa is $5,000 per person.
Coalfire CEO Tom McAndrew said: "We are pleased that all charges are dropped in the Iowa incident. With positive lessons learned, a new dialogue now begins with a focus on improving best practices and elevating the alignment between security professionals and law enforcement.
"We’re grateful to the global security community for their support throughout this experience."
America's Federal Bureau of Investigation has arrested a man on suspicion of cyber-attacking the political rival of a former US congresswoman.
Arthur Jan Dam was arrested by the FBI on Friday. The 32-year-old is accused of masterminding a series of DDoS (distributed denial-of-service) attacks that targeted an opponent of former congresswoman Katie Hill.
Dam is suspected of causing four DDoS attacks to hit the websites of Hill's rival in April and May of 2018. As a result of the attacks, the victim's website was down for approximately 21 hours, causing financial losses of $5,000.
The victim believes that the attacks were partly to blame for a political loss sustained in the June 2018 Democratic primary for California’s 25th congressional district.
According to the complaint, "The victim reported suffering losses, including website downtime, a reduction in campaign donations, and time spent by campaign staff and others conducting critical incident response."
An investigation by the FBI found that the cyber-attacks originated from a single Amazon Web Services (AWS) account controlled by Dam, whose wife, Kelsey O'Hara, worked for one of Hill's rivals. Geolocation revealed that the attacks were launched from Dam's residence and also from his workplace.
The complaint states: "Dam was found to be connected to the cyber-attacks through subscriber information, IP addresses, geolocation history, and open sources, including through his employer and his wife, K.O., who worked for one of the victim's opponents."
According to Intercept, Dam provided $500 of free cybersecurity consulting services and graphic design to Hill's campaign in 2018; however, no evidence was found by the FBI that linked Hill personally to the cyber-attacks.
The websites of Jess Phoenix and Bryan Cafario—two of Hill's Democratic party opponents—were struck with cyber-attacks in 2018, one of which was timed to coincide with a pivotal debate on April 28. Over the same period, no attacks against Hill's website were reported.
In a statement released on Friday, Paul Delacourt, assistant director of the FBI’s Los Angeles Field Office, said: "Today’s arrest shows the FBI’s commitment to hold accountable anyone who interferes with an American’s right to vote or who deprives a candidate the right to compete fairly in an election."
The University of Washington School of Medicine is facing a class-action lawsuit over a data breach that impacted 974,000 patients.
Plaintiffs claim UW Medicine failed to "properly secure and safeguard" patients' personal health information (PHI), resulting in the exposure of data that included patient names, medical record numbers, and other healthcare data.
Earlier this month, UW Medicine reported that a misconfigured server had resulted in patient data's being exposed online for a three-week period. The breach was identified when a patient came across a file containing their own PHI data during a routine Google search and reported it to UW Medicine.
After an internal investigation into the incident, UW Medicine found that an employee error had left a database containing patient data exposed from December 4 to December 6, 2018.
"Because Google had saved some of the files before December 26, 2018, UW Medicine worked with Google to remove the saved versions and prevent them from showing up in search results," officials said at the time. "All saved files were completely removed from Google’s servers by January 10, 2019."
UW Medicine said that the compromised data did not include financial information or Social Security numbers. Data that was exposed included details regarding what tests patients had undergone.
Judging from the wording of the complaint filed in King County Superior Court, the plaintiffs aren't certain exactly what information was exposed in the breach. Among other things, the plaintiffs are seeking an order that will require UW Medicine to "fully and accurately disclose the precise nature of data that has been compromised."
Plaintiffs also want UW Medicine "to adopt reasonably sufficient security practices and safeguards" to prevent any further breaches from occurring in the future.
In 2015, UW Medicine agreed to take corrective action and pay the Department of Health and Human Services $750,000 following a 2013 breach, which exposed 90,000 patient records. The healthcare provider said the incident was the result of a malware infection.
An audit of UW Medicine conducted at the time by the Office of Civil Rights found that the healthcare provider did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments.
New research from HackerOne has revealed that hackers believe the technology industry is the least secure industry.
The pen test and bug bounty platform collected data from over 3150 individuals who have successfully reported one or more valid security vulnerability on HackerOne, compiling it’s findings into the The 2020 Hacker Report. Of those polled, 18% said that the technology industry has the furthest to go to improve its cybersecurity, followed by government (16%) and finance (14%).
Interestingly, and despite the UK ICO recently publishing its intentions to hand out huge GDPR fines to high profile organizations within the travel and hospitality sector following data breaches, the research found that only 1% of hackers think the travel and hospitality industry has the most to do to improve its data security posture.
HackerOne also revealed that ethical hackers are increasingly treating hacking for good as a career option. According to the report, more than 50 hackers earned over $100,000 (£77,000) in 2019 from bug bounties, whilst the hacker community has doubled in size in the last year to more than 600,000 – representing 850 hackers registering every day in 2019.
“Hackers represent a global force for good, coming together to help address the growing security needs of our increasingly interconnected society,” said HackerOne CEO Marten Mickos. “The community welcomes all who enjoy the intellectual challenge to creatively overcome limitations. Their reasons for hacking may vary, but the results are consistently impressing the growing ranks of organizations embracing hackers through crowdsourced security — leaving us all a lot safer than before.”
Google has removed almost 600 Android apps from its Play Store for violating its policy on disruptive advertising.
The tech giant has not only removed the titles from the Android marketplace but also banned them from Google AdMob and Ad Manager, meaning their developers will not be able to monetize them on its platforms.
The disruptive ad practices highlighted by Google included “out of context” advertising, which pops up when the user isn’t even logged into a specific app.
“This is an invasive maneuver that results in poor user experiences that often disrupt key device functions and this approach can lead to unintentional ad clicks that waste advertiser spend,” argued Per Bjorke, senior product manager for Ad Traffic Quality.
“For example, imagine being unexpectedly served a full-screen ad when you attempt to make a phone call, unlock your phone, or while using your favorite map app’s turn-by-turn navigation.”
Bjorke explained that Google had developed machine learning functionality to help detect such “out of context” ads, which led to this enforcement action.
“Mobile ad fraud is an industry-wide challenge that can appear in many different forms with a variety of methods, and it has the potential to harm users, advertisers and publishers,” he added.
Google is also getting better at finding and removing apps on its Play Store that contain malware. Last year, it claimed to have increased rejected app submissions by over 55% and app suspensions by more than 66% in 2018.
That doesn’t stop the black hats trying, however: malicious apps still make their way onto the platform and sometimes are downloaded millions of times before being blocked.
In June last year, adware was found in 238 apps on the Play Store, installed by an estimated 440 million Android users.
However, downloading apps from the official marketplace is still the recommended option: last year, Android malware dubbed “Agent Smith” was downloaded over 25 million times from a popular third-party store.
A US government agency that provides secure communications to the White House has notified individuals of a data breach that may have compromised their personal information.
The Defense Information Systems Agency (DISA), which also provides IT support for the President, Vice-President, US Secret Service, Joint Chiefs of Staff and others, employs around 8000 military and civilian staff.
However, a letter from its CIO, Roger Greenwell, dated February 11, revealed that details including Social Security numbers may have been breached “on a system hosted by DISA.
“While there is no evidence to suggest that your PII was misused, DISA policy requires the agency to notify individuals whose personal data may have been compromised,” it continued.
There are few other details about the incident, such as which systems were affected, how and by whom. It is said to have taken place between May and July 2019.
It’s also unclear whether the incident affected just DISA employees or a wider base of users of its services. Some reports have speculated that as many as 200,000 could be involved.
The agency is offering free credit monitoring to those affected and said it has now put in place additional security measures “to prevent future incidents,” as well as adopting “new protocols” to improve protection of PII.
Chris Morales, head of security analytics at Vectra, argued that if a US defense agency can be compromised, then “anyone can.
“Every network is complex and human error is common regardless of the level of organization. The information compromised seems to be non-critical to the function of the DoD — although very personal and private to the people compromised — so it may have been an external database without the same level of controls as internal secret information,” he added.
“It is an unfortunate situation and another in a long list of breaches as we head into 2020. Organizations need to get better at how long it takes to be aware of a compromise and how quickly they can respond. Visibility into how systems are used is key.”
Security researchers have discovered a publicly exposed cloud database containing personal data and behavioral profiles on 120 million Americans.
Security company UpGuard found the misconfigured Amazon S3 bucket on February 3 this year, eventually tracing it back to market analysis company Tetrad.
Around half of the 747GB trove appears to have been sourced from client organizations.
It included: data extracted from Chipotle employees’ mobile phones for tracking, a spreadsheet containing the home addresses of 700,000 Kate Spade customers and 3.5 million loyalty card accounts for beverage retailer Bevmo, including physical address tied to each account
The database also featured 10GB of data from the Experian Mosaic consumer behavior product. UpGuard discovered 130 million rows of this information including the address of each household and the name/names of the heads of the household, plus their gender and other details.
Companies like Tetrad use this information to map consumers ascribed to various Mosaic categories by buying behavior to their geographical location, so that when retailers want to build a new store, they know to do so close to clusters of potential customers.
The result was a database of 120 million Americans including full name, gender, address and “type” of consumer. It’s unclear how long it was exposed for, although Tetrad is said to have finally closed access a week after first being notified.
“Digital technology does not just enable the accumulation of behavioral data; it also makes possible the unintentional exposure of that data en masse. In this case, multiple data sources, from other companies’ data products like Experian Mosaic to retailers’ customer loyalty programs, were combined in one storage bucket that was misconfigured for public access,” concluded UpGuard.
“As a result, data that was collected by multiple entities, and affecting with varying degrees of intensity every household in the US, was made available not just to businesses and other intended audiences, but to anyone at all.”
Two US senators have introduced a bill to ban cyber-flashing and penalize repeat offenders with hefty fines.
The term "cyber-flashing" describes the act of sending unsolicited sexually explicit images and videos to strangers. Lewd images can be sent via social media, dating platforms, text messages, and email.
In some cases, unsolicited sexually explicit material is sent to unsuspecting recipients in public spaces via the iPhone AirDrop function.
According to the Pew Research Center, 53 percent of young American women and 37 percent of young American men have been sent unsolicited explicit material while online.
The bill, otherwise known as SB 1182 or as the FLASH (Forbid Lewd Activity and Sexual Harassment) Act, was introduced yesterday by senators Connie Levya and Lena Gonzalez.
"It is unacceptable that any person would ever be sent a sexually explicit picture or video without their consent. SB 1182 will finally hold these perpetrators accountable," Senator Leyva said.
"Cyber flashing—which primarily affects women—is a modern form of sexual harassment, and we have to put a stop to this inexcusable and offensive behavior.
"When over half of all young women have received unwanted explicit pictures and videos, it is clear that this problem has reached epidemic levels."
Under the new legislation, first-time offenders would receive a $500 fine, while serial cyber-flashers would be fined $1,000 for each subsequent offense.
Bumble, a dating app that, when helping to pair up heterosexual couples, requires women to initiate contact, has voiced its support for the new bill.
Whitney Wolfe Herd, Bumble CEO, said: "An overwhelming majority of our time is spent online and there are simply not enough laws and deterrents in place to protect us, and women and children in particular.
"It falls upon us in the technology and social media space to work hand in hand with local government and legislators to isolate the problems and develop solutions just like the FLASH Act being introduced by Senator Leyva."
The FLASH Act is due to be considered by a committee or committees in the Senate later this spring.
Earlier this week, cyber-flashing made the headlines in the UK when the British Transport Police revealed that the recorded incidents of unsolicited lewd images being AirDropped to women on trains had doubled.
With this new 10-year contract, the Virginia-based firm will become the SEC's leading provider of cybersecurity services. The contract was awarded on December 12, 2019, but was kept under wraps until yesterday.
According to a statement released February 20 on Booz Allen's website, the SEC picked the 106-year-old company for the job after being impressed by its ability to comprehend the commission's standing and aims.
The statement read: "Booz Allen was selected for its clear understanding of the agency’s mission and the firm’s reputation for building and operating modernized cyber defenses for federal and commercial clients that deliver rapid, durable improvements to security program maturity and effectiveness while generating cost savings."
Booz Allen pledged to employ the same tools, techniques, and mindsets as today’s most advanced threat actors to defend the SEC. The company said one element of its strategy would be to discover unknown vulnerabilities before they can be used for malicious purposes.
"Our team will provide the SEC with leading-edge, threat-centric, proactive cyber defense with the ability to detect and proactively address unknown threats, keep up with the rapid pace of change in the cyber industry and provide advanced cyber capabilities at scale," said Booz Allen's senior vice president, Mark Gamis.
Booz Allen is the largest provider of cybersecurity professional services in North America and the only company to hold all three of the federal government’s elite cybersecurity accreditations: NSA’s Cyber Incident Response Assistance (CIRA) accreditation, NSA’s Vulnerability Assessment Service (VAS) accreditation, and GSA’s Highly Adaptive Cybersecurity Services schedule.
Gamis said the company would draw on its existing knowledge and experience to protect the SEC from bad actors.
"The SEC is essential to the strong functioning of the U.S. and world economy, so we are proud the agency is entrusting Booz Allen to deliver cyber defense operations to protect its data and other critical assets from increasingly aggressive and destructive cyber-attacks," said Gamis.
"We will leverage our deep expertise and experience delivering cyber tradecraft across US Government and commercial clients and deploying groundbreaking cyber capabilities to protect mission-essential services and high-value assets."
A proposed class-action lawsuit has been filed against New Jersey's largest hospital health network over a ransomware attack that happened in December.
Threat actors infected the computer systems of Hackensack Meridian Health, causing a system-wide shutdown on December 2. The attack disrupted services at 17 urgent care centers, hospitals, and nursing homes operated by the network.
News of the attack was leaked to the media on December 5. Eight days later, Hackensack confirmed that it had paid an undisclosed sum to retrieve files encrypted in the ransomware attack.
Now, a proposed class-action lawsuit has been filed in a Newark district court by two plaintiffs seeking compensation, reimbursement of out-of-pocket expenses, statutory damages, and penalties.
The plaintiffs are also seeking to secure injunctive relief that will require Hackensack Meridian Health to undergo annual data security audits, make improvements to its security systems, and provide three years of credit monitoring services to breach victims free of charge.
In the 45-page complaint, the plaintiffs allege that Hackensack Meridian Health failed to adequately protect patients' data. They accuse the healthcare provider of running its network in a “reckless manner” that left its computer systems vulnerable to cyber-attackers.
The lawsuit further alleges that as a result of the attack, patients suffered major disruptions to their medical care for two days and were forced to seek alternative care and treatment.
An investigation conducted by Hackensack Meridian Health found no evidence that patient data had been stolen as a result of the ransomware attack. However, the plaintiffs allege that attackers stole their personal and protected health information and disclosed it to “other unknown thieves,” putting them at imminent risk of identity theft and fraud.
The plaintiffs allege that Hackensack Meridian Health has failed to officially notify patients of the attack and has not reported the attack to the OCR, as required by the Health Insurance Portability and Accountability Act (HIPAA). Notice of the ransomware attack had not yet appeared on the breach portal run by the US Department of Health and Human Services Office for Civil Rights (OCR) at press time.
Hackensack Meridian Health, which is based in Edison, New Jersey, has more than 35,000 employees and generates around $6bn in annual revenue.
Google is unlikely to be moving UK users’ data to the US because of Brexit-related uncertainty and GDPR privacy rights will continue to be protected after any such move, according to a leading data protection lawyer.
Reports this week claimed that the tech giant is looking to move user accounts to US datacenters following Brexit, because it’s unclear whether UK law will be aligned with the EU’s GDPR after the transition period ends this year, a status known as “adequacy.”
In such circumstances, it would be more difficult for UK law enforcers to request access to user data for criminal investigations if it were still stored in Google’s Irish datacenter, it was claimed.
However, the UK has already enshrined GDPR into its own law (Data Protection Act 2018) and intends to recognize the EU’s data protection system as adequate, even in a no-deal scenario, because it believes free data flows to the continent are vital to economic growth.
This means that “Brexit should not affect UK to EEA data flows,” according to Toni Vitale, partner and head of data protection at JMW Solicitors.
He told Infosecurity that a move across the Atlantic would not affect Google UK users’ privacy rights or the ability of the British authorities to access such data.
“The rationale for the move is unlikely to have anything to do with Brexit, the EU GDPR or uncertainty of what will happen with UK data protection laws,” Vitale argued.
“The current position is that adequacy is likely and desirable and indeed possible by December 2020. However, it is unlikely this is the reason to move the Ireland datacenter. The EU GDPR and the UK version in the Data Protection Act 2018 will apply to Google wherever it cites its datacenter. UK law enforcers will still be able to take action against Google — but this is the same position as today, moving the datacenters does not affect this.”
Google itself has released a statement confirming this.
“Nothing about our services or our approach to privacy will change, including how we collect or process data, and how we respond to law enforcement demands for users’ information,” it noted. “The protections of the UK GDPR will still apply to these users.”
However, there are still concerns that, once located in the US, data on UK users could be subject to the country’s mass surveillance apparatus.
“Moving people's personal information to the USA makes it easier for mass surveillance programs to access it. There is nearly no privacy protection for non-US citizens,” argued Open Rights Group executive director, Jim Killock.
“We have no reason to trust a Donald Trump government with information about UK citizens. The possibilities for abuse are enormous, from US immigration programs through to attempts to politically and racially profile people for alleged extremist links.”
Vitale speculated that Google’s move may be motivated more by a desire to consolidate user data across multiple services under a single US-based data controller.
“Recent tax changes in the US made it more attractive to onshore jobs to the US so this may also be part of the reason,” he added.
The UK government has again named and shamed Russian military intelligence for attempting to destabilize a foreign nation via cyber-attacks, this time a wide-ranging operation on targets in Georgia last October.
The attacks led to the defacement of over 15,000 web pages in the former Soviet country with messages designed to undermine pro-Western former President Mikheil Saakashvili. Thousands more were forced offline and computers at several TV stations were hit with destructive malware, interrupting their service.
The UK’s National Cyber Security Centre (NCSC), part of GCHQ, said it was 95% certain the attacks came from Russia, as part of the same GRU program responsible for BlackEnergy and Industroyer attacks against Ukrainian power stations, and the infamous BadRabbit and NotPetya destructive operations.
The government claimed the Kremlin was attempting to undermine Georgia’s sovereignty, sow discord and disrupt the lives of ordinary Georgian people.
“The GRU’s reckless and brazen campaign of cyber-attacks against Georgia, a sovereign and independent nation, is totally unacceptable. The Russian government has a clear choice: continue this aggressive pattern of behavior against other countries, or become a responsible partner which respects international law,” said foreign secretary Dominic Raab in a statement.
“The UK will continue to expose those who conduct reckless cyber-attacks and work with our allies to counter the GRU’s menacing behavior.”
The UK has publicly attributed a number of attacks over recent years to Russia as the Putin regime becomes ever more brazen in its attempts to sow discord overseas.
These include: VPNFilter, BadRabbit and NotPetya in 2017, attacks on the Democratic National Committee (DNC) ahead of the 2016 Presidential election, and anti-doping agency WADA the same year. It also blamed the GRU for information-stealing attacks on a “small UK TV station” in 2015.