US maritime facilities have been on high alert over the Christmas break after the Coast Guard revealed details of a ransomware-related outage in late December.
The bulletin described a recent attack causing widespread operational disruption at a “Maritime Transportation Security Act (MTSA) regulated facility.
“Forensic analysis is currently ongoing but the virus, identified as ‘Ryuk’ ransomware, may have entered the network of the MTSA facility via an email phishing campaign. Once the embedded malicious link in the email was clicked by an employee, the ransomware allowed for a threat actor to access significant enterprise Information Technology (IT) network files, and encrypt them, preventing the facility’s access to critical files,” it explained.
“The virus further burrowed into the industrial control systems that monitor and control cargo transfer and encrypted files critical to process operations. The impacts to the facility included a disruption of the entire corporate IT network (beyond the footprint of the facility), disruption of camera and physical access control systems, and loss of critical process control monitoring systems.”
The port facility’s operations were apparently disrupted for over 30 hours as a result of the attack.
The Coast Guard urged maritime authorities to implement risk management programs according to best practices outlined in the NIST Cybersecurity Framework (CSF) and NIST Special Publication 800-82.
Specific controls it recommended include intrusion prevention/detection systems, modern virus detection, host and server monitoring, network segmentation, up-to-date IT/OT network diagrams and regular back-ups.
Experts have been warning about a major cyber-attack on port facilities for some time. Late last year, a report from the Singapore-based Cyber Risk Management (CyRiM) project warned that a ransomware campaign targeting Asia’s ports could cost the global economy as much as $110bn.
In July last year the US Coast Guard issued a marine safety alert urging vessel and facility owners and operators to improve baseline cybersecurity, following an attack on a “deep draft vessel” bound for the Port of New York and New Jersey.
RavnAir Group was forced to ground flights on Saturday following a cyber-attack on the Alaskan company's computer network.
The nature of the attack was not disclosed; however, the company did reveal that threat actors specifically targeted the small airline's turboprop-powered regional airliner the De Havilland Canada DHC-8 aircraft, commonly known as the Dash 8.
As a result of the incident, the airline had to disconnect its entire Dash 8 maintenance system and the back-up system.
All RavnAir Alaska Dash 8 flights that were scheduled to take place on Saturday, December 21, a crucial day of travel in the busy holiday season, were affected.
PenAir flights and RavnAir Connect flights were unaffected by the incident, as they were able to run on back-up systems.
RavnAir wrote: "While we continue to work with the FBI, other authorities, and a cybersecurity company to restore affected systems, we are proactively cancelling all RavnAir Alaska Dash 8 flights until 12 noon today, and we expect to experience other schedule cancellations and delays within the RavnAir Alaska (Dash 8 Aircraft) network throughout the rest of the day because the cyber-attack forced us to disconnect our Dash 8 maintenance system and its back-up."
According to news site WKRN, RavnAir spokesperson Debbie Reinwand said that 260 passengers were affected by the malicious cyber-attack. Six flights were cancelled, including the 1:30 p.m. flight from Unalaska to Anchorage.
Disappointed customer Dennis Ede, who was due to take that 1:30 p.m. flight, told KUCB radio: "I'm not happy about it. If I can't get out today, I'll try to get out tomorrow. I'm trying to get home to Seattle to see my family for Christmas."
Two further flights were cancelled on Saturday due to adverse weather conditions.
"We will be trying to add flights where we can over the next two days," wrote RavnAir in a statement released at 1 p.m. Sunday, December 22.
"We have, where possible, re-booked passengers on other flights."
RavnAir Group serves 100 different communities in Alaska from its headquarters in Anchorage. Many of the communities who fly with RavnAir are inaccessible by road.
A critical flaw has been discovered in two Citrix products, placing 80,000 companies in 158 countries at risk.
The easily exploitable vulnerability could allow attackers to obtain direct access to a company's local network and to access a company’s credentials.
It could also be used to launch denial of service and phishing attacks and to implant malware that could lead to cryptocurrency mining.
Positive Technologies expert Mikhail Klyuchnikov found the vulnerability in Citrix Application Delivery Controller (formerly known as NetScaler ADC) and in Citrix Gateway (formerly known as NetScaler Gateway).
This vulnerability affects all supported versions of the products, and all supported platforms, including Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1, and also Citrix NetScaler ADC and NetScaler Gateway 10.5.
What makes the weakness especially dangerous is that it can be used to launch an attack that does not require access to any accounts, meaning it can be mounted by any external attacker.
Depending on the specific configuration, Citrix applications can be used for connecting to workstations and critical business systems (including ERP). In almost every case, Citrix applications are accessible on the company network perimeter, and are therefore the first to be attacked.
This newly unearthed vulnerability allows any unauthorized attacker to not only access published applications, but also attack other resources of the company's internal network from the Citrix server.
Citrix is notifying customers and channel partners about this potential security issue, for which a fix is still forthcoming.
The company has urged customers to upgrade all of their vulnerable appliances to a fixed version of the appliance firmware as soon as it is released. It has also set up an alert system, which customers can subscribe to so that they will learn as quickly as possible when a fix has been found.
Dmitry Serebryannikov, director of the security audit department at Positive Technologies, said: "Citrix applications are widely used in corporate networks. This includes their use for providing terminal access of employees to internal company applications from any device via the Internet.
"Considering the high risk brought by the discovered vulnerability, and how widespread Citrix software is in the business community, we recommend information security professionals take immediate steps to mitigate the threat."
Researchers have unearthed a two-year phishing campaign targeting bank customers in Canada.
Fourteen banks, including CIBC, TD Canada Trust, Scotiabank, and the Royal Bank of Canada (RBC) were spoofed in a large-scale operation that involved multiple look-alike domains.
The attack starts by sending legitimate-looking emails containing a PDF attachment. The attachment uses what appears to be an official bank logo, as well as an authorization code.
Victims are told that they need to renew their digital certificate so that they can continue to access online banking. When the victim clicks on any of the URLs that appear in the attached document, they are led to a phishing page asking them to enter their banking credentials.
The intricate scam was uncovered by researchers at Check Point Research, who wrote: "Looking into the detected artifacts revealed an ongoing phishing attack that has been going after customers of Canadian banks for at least two years.
"By sending highly convincing emails to their targets, constantly registering look-alike domains for popular banking services in Canada and crafting tailor-made documents, the attackers behind this were able to run a large-scale operation and remain under the radar for a long time."
In the case of RBC, although the phishing website looks identical to the bank's genuine RBC express login page, the attackers actually invested little time in constructing the deceptive replica.
"They simply took a screenshot of the official website and added invisible text boxes on top of the input fields to harvest the victim’s credentials," wrote researchers.
Linguistic clues led the researchers to discover the longevity of the scammers' cruel charade.
Researchers wrote: "There were multiple variants of the PDF attachments, with slight differences between them. However, some of the textual instructions they contained were repetitive, used unique phrasing and appeared in more than one document.
"This allowed us to hunt for more samples and find related PDFs dating back to 2017."
The phishing website that appeared in the PDF attachments resolved to a Ukrainian IP address, which researchers found was hosting more domains impersonating RBC in addition to other banks.
Commenting on the scam, senior security strategist at Synopsys Jonathan Knudesn said he felt it was time users wised up.
"Users should understand the capabilities of phishers; they should know that anyone can construct a web site that looks just like the real thing, and anyone can get a legitimate certificate for a fake web site."
A Londoner who blackmailed Apple threatening to factory reset hundreds of millions of iCloud accounts has been sentenced at Southwark Crown Court.
Kerem Albayrak, 22, from North London, demanded that the tech giant give him $75,000 in crypto-currency or a thousand $100 iTunes gift cards in return for deleting what turned out to be a non-existent database of 319 million ‘accounts.’
In March 2017, he emailed Apple Security with the threat, subsequently sending the team a link to a video of himself accessing two seemingly random iCloud accounts.
It turned out that those accounts and others he had access to were from previously compromised third-party services that were mainly inactive, according to the National Crime Agency (NCA).
Apple contacted the NCA following its receipt of the blackmail demand and officers swooped on Albayrak’s house on March 28, seizing his smartphone, computer and hard drive. After examining his phone records they linked him to a hacker group known as “Turkish Crime Family.”
He pleaded guilty to two counts of unauthorized acts with intent to impair the operation of or prevent/hinder access to a computer, and one count of blackmail.
However, Albayrak escaped jail time, after the court handed down a two-year suspended sentence, 300 hours of unpaid work and a six-month electronic curfew.
“Albayrak wrongly believed he could escape justice after hacking in to two accounts and attempting to blackmail a large multi-national corporation. During the investigation, it became clear that he was seeking fame and fortune. But cyber-crime doesn’t pay,” argued NCA senior investigating officer, Anna Smith.
“The NCA is committed to bringing cyber-criminals to justice. It is imperative victims report such compromises as soon as possible and retain all evidence.”
Twitter has been forced to suspend thousands of accounts linked to state-backed campaigns driven by Saudi Arabia and designed to influence public opinion, it has revealed.
The social networking site claimed in a new blog post on Friday that 5929 accounts had been removed for “violating our platform manipulation policies.”
“These accounts represent the core portion of a larger network of more than 88,000 accounts engaged in spammy behavior across a wide range of topics. We have permanently suspended all of these accounts from the service,” Twitter said.
“In order to protect the privacy of potentially compromised accounts repurposed to engage in platform manipulation, and in response to researcher feedback requesting that we pre-filter unrelated spam, we have not disclosed data for all 88,000 accounts.”
By liking, retweeting and replying to posts, these inauthentic and hijacked accounts apparently amplified messages favorable to the Saudis.
Twitter claimed the coordinated activity could be traced back to a Saudi social media marketing company known as Smaat.
“Our in-house technical indicators show that Smaat appears to have created, purchased, and/or managed these accounts on behalf of — but not necessarily with the knowledge of — their clients,” it explained. “We have permanently suspended Smaat’s access to our service as a result, as well as the Twitter accounts of Smaat’s senior executives. Smaat managed a range of Twitter accounts for high-profile individuals, as well as many government departments in Saudi Arabia.”
Those Smaat employees appear to have used automated third-party tools to amplify non-political content in large volumes; a tactic apparently designed to disguise the more important political content from moderators.
Twitter has been busy this year removing state-backed attempts to manipulate public opinion for geopolitical advantage. It June it shut down 5000 Iranian and Russian accounts accused of doing so, and in August it was the turn of China, which had 1000 accounts suspended for spreading propaganda about Hong Kong.
Nearly 173 million usernames and passwords were compromised when a leading gaming developer was breached in September, it has emerged.
Zynga burst on the gaming scene when its Farmville title became a hit a decade ago. It followed this success with Words with Friends, a hugely popular Scrabble-like word game it acquired.
Although Zynga acknowledged the breach at the end of September, several weeks after hackers struck, notification site HaveIBeenPwned now has the official figure on how many accounts were affected.
It claimed in an update late last week that a total of 172.9 million unique email addresses, along with usernames and passwords, were compromised in the attack. On the plus side, passwords were stored as salted SHA-1 hashes, which makes them much harder to monetize.
News of the breach went public at the end of September when notorious cyber-criminal “Gnosticplayers” claimed to have obtained data on over 218 million users.
At the time, Zynga responded by urging users not to share passwords across multiple accounts, and to ensure they create “a unique and strong” credential for all of their online accounts.
“Cyber-attacks are one of the unfortunate realities of doing business today. We recently discovered that certain player account information may have been illegally accessed by outside hackers,” it said at the time.
“We understand that account information for certain players of certain Zynga games may have been accessed. As a precaution, we have taken steps to protect certain players’ accounts from invalid logins, including but not limited to where we believe that passwords may have been accessed.”
Tim Dunton, MD of Nimbus Hosting, argued that social gaming customers are prime targets for data theft.
“All online game organizations need to ensure cybersecurity measures are a top priority in their company culture, to avoid this kind of attack happening in the future,” he added.
“They need to focus on adopting safe, modern and frequently updated IT servers, which are immune to leaking information, even to the most advanced of criminal cyber-specialists.”
Payment processing systems at Wawa, the American chain of convenience and fuel stores, have been harboring malware that steals credit card information for nine months.
In an open letter published online yesterday, Wawa CEO Chris Gheysens announced that the malware had potentially been operating at all of Wawa's 842 locations across Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Washington, DC, and Florida since March.
"Our information security team discovered malware on Wawa payment processing servers on December 10, 2019, and contained it by December 12, 2019," wrote Gheysens.
"This malware affected customer payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019, and until it was contained."
By April 22, the malware is thought to have spread to most Wawa stores.
An investigation launched by Wawa into the incident discovered that payment card information, including debit and credit card numbers, expiration dates, and cardholder names, had been exposed as a result of the long-running cyber-attack. ATM cash machines in Wawa stores were not impacted.
In a statement released to the press yesterday, Wawa said that it "is not aware of any unauthorized use of any payment card information as a result of this incident."
Wawa has said it took "immediate steps after discovering this malware and believes it no longer poses a risk to customers." However, no details have been revealed as to what type of malware was used in the prolonged card-skimming attack or how it gained a foothold in Wawa's payment processing systems.
Gheysens apologized for the breach, and assured all customers impacted that they "will not be responsible for fraudulent charges related to this incident."
Jonathan Deveaux, head of enterprise data protection at comforte AG, commented: "Details are unclear regarding the type of malware installed on the Wawa payment processing servers, however, if the payment card data was protected in real-time with security tokenization, exfiltration of data from Wawa databases would have contained worthless tokens for the bad actors.
"Instead, when data is left in its clear-text form, credit and debit card numbers are exposed, which can put millions of payment card holders in a bad position."
A malicious email campaign that exploits the notoriety of youthful Swedish climate crisis activist Greta Thunberg has been discovered by multiple research teams.
Threat actors constructed an email that appears to invite the recipient to participate in a demonstration being held to protest the lack of government action being taken to protect the natural environment.
The email purports to be from environmental activist Greta Thunberg. In a bid to appear more authentic, the sign-off references a genuine accolade recently awarded to Thunberg—being named Time Person of the Year 2019.
The email states that the time and location of the non-existent demonstration are included in a Microsoft Word document "Support Greta Thunberg.doc," which is attached to the email. When the victim opens the document, the Emotet malware is installed on their computer.
Emotet is a banking Trojan that has been around since 2014 and has recently made a significant comeback. In the 2019 Q3 Threat Report by Proofpoint, researchers found that Emotet accounted for nearly 12% of all malicious emails in that quarter.
As if exploiting the positive actions of a teenager and public concern over the future of the planet wasn't enough, the emotionally manipulative scammers stooped even lower by throwing Christmas and children into the mix.
The content of the malicious email reads: "Merry Christmas. You can spend Christmas Eve looking for gifts for children. They will tell you Thank you only that day. But the children will thank you all their lives if you come out for the biggest demonstration in protest against the inaction of the government in connection with the climate crisis."
Proofpoint researchers who detected this festive incarnation of Emotet wrote: "This campaign serves as a reminder that attackers won’t hesitate to target people’s best intentions during this holiday season."
Sickeningly, the threat actors appeared to be specifically targeting .edu domains used by students.
"We saw more .edu domains attacked than domains associated with any specific country," wrote Proofpoint researchers.
Versions of the same malicious email have been doing the rounds in a variety of languages, including Spanish, Italian, French, and Polish.
The one positive takeaway is that the threat actors’ topic of choice signals growing global awareness of Thunberg and the issues for which she advocates.
Proofpoint researchers noted that the campaign "serves as a mark of how significant environmental awareness has become and how well-known Greta Thunberg is globally."
New research into the attitudes and beliefs of cybersecurity professionals has identified a sharp rise in the number of businesses paying up when stung by a ransomware attack.
The 2019 Global Security Attitude Survey Report by California cybersecurity technology company CrowdStrike shows that the number of global organizations paying ransoms from supply-chain attacks has more than doubled from 14 to 39 percent in the past year.
In the UK, over the same time period, the number of businesses coughing up their money after being held to ransom by threat actors has increased by 100 percent from 14 percent to 28 percent.
On a more positive note, it takes UK organizations on average 39 hours to detect an adversary, versus a sluggish global average of 120 hours.
Over three-quarters (77 percent) of survey respondents admitted that their organization had experienced a supply-chain attack at least once at some point in time, up from 66 percent in 2018. However, compared to last year, more businesses said that they were prepared for such an incident.
Over half (52 percent) of those hit by a software supply-chain attack in 2019 had a comprehensive strategy in place at the time, compared to only just over a third (34 percent) 12 months ago.
"Reacting with speed to next-generation, persistent and pervasive threats requires the power of the cloud and crowdsourced data on the real threats facing organizations, whether they are malicious files or from file-less behaviors," said John Titmus, senior director, sales & solution engineering, EMEA region, CrowdStrike.
"The solution to these threats lies within the power of the cloud and AI to leverage vast data sets to spot indicators of attack before those attacks break out and become breaches. Then organizations react at the speed required to beat organized cybercriminals and nation-state adversaries."
The 2019 Global Security Attitude Survey Report is based on responses from 1,900 senior IT decisionmakers and professionals from across the US, Canada, UK, Mexico, Middle East, Australia, Germany, Japan, France, India, and Singapore, working in a wide range of industries. Responses were recorded in the fall of 2019.
UK police officers and staff reported on average four lost or stolen devices every day over the most recent financial year, according to newly released data.
Think tank Parliament Street received Freedom of Information (FOI) requests from 22 forces across the country to better understand their risk exposure from mobiles, tablets, laptops, radios, USBs and other devices.
In total, 2600 of these devices were reported lost or stolen over the past three financial years, with around half (1360) reported in the financial year 2018-19.
This amounts to an increase in lost/stolen devices of 150% from the 544 reported missing in 2016-17.
The worst offender was West Midlands Police, which reported 1012 missing devices over the three-year period. This included 16 laptops, 112 mobile phones and 884 police radios, 494 of which went missing last year.
There was a big drop-off before second-placed Staffordshire Police, which reported 277 lost or stolen devices, and third-placed Greater Manchester Police (225).
Those which saw the biggest increase in missing equipment between 2016 and 2019 were Gwent Police, which reported a 2500% jump, Norfolk and Suffolk Constabulary (1,500%) and Durham (200%).
Absolute Software VP EMEA, Andy Harcup, argued that most of these devices would have contained sensitive data on police investigations, including confidential information about criminals, suspects and victims.
“Everyone recognizes the loss of laptops and mobiles in the line of duty is inevitable, so it’s vital that forces have the necessary systems in place to track and freeze equipment when it falls into the wrong hands,” he added.
“This approach can help improve cybersecurity standards, protect the privacy of individuals and prevent criminals and opportunistic thieves from misusing police devices and stealing data.”
It’s not just the police that are exposed to cyber-risk related to device loss. UK government workers reported over 500 lost or stolen devices over the past year, while at the Ministry of Defence, missing device reports soared 300% over the past two years.
It's unclear whether the majority of devices reported lost or stolen by the police were password protected, encrypted, and/or fitted with device wipe capabilities, according to best practices.
A database of 267 million Facebook user IDs, phone numbers, and names was left exposed online for a fortnight thanks to another cloud misconfiguration, according to researchers.
The trove was likely to have been the result of an illegal scraping operation carried out by cyber-criminals, according to consultant Bob Diachenko and researchers at Comparitech.
“One possibility is that the data was stolen from Facebook’s developer API before the company restricted access to phone numbers in 2018. Facebook’s API is used by app developers to add social context to their applications by accessing users’ profiles, friends list, groups, photos, and event data. Phone numbers were available to third-party developers prior to 2018,” explained Comparitech’s Paul Bischoff.
“Diachenko says Facebook’s API could also have a security hole that would allow criminals to access user IDs and phone numbers even after access was restricted. Another possibility is that the data was stolen without using the Facebook API at all, and instead scraped from publicly visible profile pages.”
The researchers warned that such a large database of sensitive information could be used in major spam, phishing and smishing campaigns.
The database itself was first indexed on December 4, with the data posted on a hacker forum eight days later. Diachenko discovered it on December 14 and notified the ISP managing the IP address, and five days later it was made unavailable.
The original leak came about because of a misconfigured Elasticsearch cluster.
This is just the latest in a long line of data leaks stemming from unsecured cloud databases. In November personal data on over one billion individuals harvested by data enrichment companies was found exposed.
Then in December, over one billion email-password “combos” were found in a similar way by Diachenko. They’re thought to have been stolen or bought by hackers.
An EU court ruling yesterday has raised questions over the validity of the Privacy Shield data sharing framework between Europe and the US, although it confirmed the legality of standard contractual clauses (SCCs), with caveats.
The opinion of advocate general (AG) of the EU Court of Justice, Henrik Saugmandsgaard Øe, stems from the infamous Facebook-Max Schrems case in which a complaint by the latter claimed that transfer of his data from the EU to the US by the social network infringed his privacy rights.
That led to the end of the Safe Harbor data sharing agreement between the EU and US in 2015, because the latter’s bulk surveillance programs, as revealed by Edward Snowden, were considered to imperil Europeans’ privacy rights without providing any adequate cause of redress.
The new opinion issued by the advocate general indicates the EU still has concerns over Safe Harbor’s successor, Privacy Shield.
“According to the advocate general, the resolution of the dispute in the main proceedings does not require the court to rule on the validity of the ‘privacy shield’ decision, since that dispute concerns only the validity of Decision 2010/87,” a statement from the Court of Justice noted.
“Nevertheless, the advocate general sets out, in the alternative, the reasons that lead him to question the validity of the ‘privacy shield’ decision in the light of the right to respect for private life and the right to an effective remedy.”
However, SCCs are still a valid and legal way to transfer data to and from a “third country” (i.e. one outside the EU), despite the US surveillance regime, the opinion found.
The caveat is that data protection authorities in the trading bloc must keep an eye on the conditions within these third countries.
There is an obligation on them “to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the standard clauses and those imposed by the law of the third country of destination, those clauses cannot be complied with.”
Overall, this is good for business and will ease fears about data flows post-Brexit as the UK will effectively become a third country at that time, according to experts.
“The advocate general’s opinion that the EU SCCs remain valid will be welcomed by business on both sides of the Atlantic, as the SCCs are one of the key mechanisms that underpin transfers of personal data to countries outside of the EU, including to the US,” said Bridget Treacy, partner at law firm Hunton Andrews Kurth.
“Despite the continuing validity of the SCCs, the AG points out that businesses that rely on the clauses still need to assess whether the recipient can comply with the clauses in relation to each particular transfer, and suspend transfers when that is not the case. Furthermore, EU data protection supervisory authorities have the power to suspend data transfers pursuant to the SCCs when an adequate level of protection for personal data cannot be provided in light of local laws and practices in the recipient country.”
The AG’s decision is not legally binding, but the European Court of Justice, which is hearing the case next year, usually follows the same thinking.
Australia's Deakin University is to launch the country's first cybersecurity course accredited by the Australia Computer Society (ACS).
The ACS is the only body in Australia with the power to accredit IT and ICT courses. Only recently did it add cybersecurity to its accreditations.
Deakin University is the first educational establishment to be awarded specialist course accreditations in cybersecurity by the ACS, with five Deakin degrees and master's programs receiving recognition.
Yohan Ramasundara, president of ACS, said: "ACS has long been recognized as the accrediting body for technology-related degrees and post-graduate qualifications related to initial professional practice.
"With the growing need for expertise in cybersecurity for our evolving and growing digital economy, introducing recognition for specialist cybersecurity qualifications and expertise was a must."
ACS accreditation is awarded to an institution and its programs after a rigorous evaluation of their capacity to produce graduates who have the knowledge and skills required of a professional. Currently, there are more than 340 programs offered by over 40 institutions that are accredited by the ACS as meeting graduate standards for initial professional practice.
Professor Karen Hapgood, Deakin’s executive dean of science engineering and built environment, said the university's new cybersecurity accreditation demonstrated the high quality and academic integrity of its cybersecurity courses.
"Deakin is proud to be able to offer students a fully accredited cybersecurity course that will be recognized industry-wide and overseas," Professor Hapgood said.
"It certainly endorses the high-quality curriculum and the high quality of academic staff teaching our courses, and validates Deakin’s decision last year to update its cybersecurity courses in line with industry and world needs.
"As cybersecurity becomes more important to our national and global security than ever before, it is vital that students can take comfort that they are being taught at the highest possible level."
Around 500 students study a Bachelor or Master of Cybersecurity at Deakin each year, with an average annual intake of 150 students. The university launched the courses three years ago.
While cyber security courses are currently offered at many universities and other educational institutions across Australia, until now none of these courses have been accredited by an external and independent body.
Massachusetts' Department of Revenue is not doing enough to protect the sensitive information of taxpayers.
A recent report on the cybersecurity protocols of the Department of Revenue (DOR), compiled by auditor of the commonwealth Suzanne Bump, found that the DOR had no system in place to assess and document third-party vendor risks.
Furthermore, the audit found that the DOR had no documented and tested incident response procedures and had not established an information technology strategy committee.
The department previously had a security review board, but the board has not been active since early 2017.
"Without a committee or board charged with governing DOR’s IT environment, responsibility for IT governance and risk is not clear. This can result in information security risks and investments not being aligned with business needs," states the report.
"Without documented and tested incident response procedures, there is a higher-than-acceptable risk that DOR may not be able to respond properly to information security incidents, which may result in delayed identification of an incident, additional loss of data, or negative public opinion."
The audit revealed that the DOR had failed to come up with an interdepartmental service agreement with the Executive Office of Technology Services and Security (EOTSS) that defined and documented updated roles and responsibilities despite having three years in which to do so.
The report states: "DOR management officials told us that they had been trying for three years to negotiate an ISA with EOTSS. They mentioned organizational and managerial changes at EOTSS as a cause of the delay."
No instances in which sensitive data had been compromised were discovered, but Bump’s office found that the DOR "was not prepared to respond to or mitigate cyber-attacks it or its vendors face" and "did not have procedures in place to guide its response to IT security incidents."
"The whole infrastructure for data security was missing at the Department of Revenue," Bump said in an interview that aired Sunday morning on Boston TV show On the Record.
The report, which was published on December 13, covered the DOR’s IT and security-related activities from July 2016 through December 31, 2018.
New research into litigation trends has identified cybersecurity as a major new source of legal disputes in the United States.
Of the 287 lawyers polled, 44 percent said that they foresee cybersecurity and data protection as a new source of disputes during the next few years.
The results of the 2017 and 2018 editions of the Litigation Trends Annual Survey saw cybersecurity and data protection concerns coming to the forefront as a key challenge in dispute management. However, the trend saw a marked rise this year, with respondents reporting an increase in the number of disputes triggered by data privacy issues.
From 2018 to 2019, the number of in-house counsel who rated cybersecurity and data privacy as the most important litigation issue they faced doubled. More than half of those surveyed (52 percent) feel more exposed than previously to such disputes.
Respondents to Norton Rose Fulbright's survey said that their concern over cybersecurity stemmed from the volume of threats, the creativity of threat actors, and the sensitivity of the data content. Counsel were also worried about some jurisdictions’ enactment of stringent data privacy laws.
Rapid growth in the size of the organization was also a key factor. One respondent quoted in the research wrote: "We’re growing at such a fast rate, in terms of the number of companies and the volume of work in the insurance industries, we have a large number of consumer-facing data points, so our consumer data retention is probably tripling yearly."
Companies in 2019 whose in-house counsel took part in the survey spent $1.5m on average on disputes and employed 2.5 disputes lawyers per $1bn of revenue.
Researchers found that more than 80 percent of companies conduct third-party and/or in-house assessments of cybersecurity and data protection risks, and such assessments are helpful in reducing these types of risks.
Other findings of the research are that counsel predict a rise in litigation caused by an anticipated economic downturn. Thirty-five percent of corporate counsel—8 percent more than in 2018—expect disputes to increase in the next year. Nearly two-thirds of corporate lawyers said economic downturns lead to an increase in litigation cases.
Introduced in 2004, the Norton Rose Fulbright’s Litigation Trends Annual Survey is the longest-running survey of corporate counsel on litigation issues and trends.
Honda has become the latest big-name brand to expose the personal information of countless customers because of a cloud misconfiguration.
The carmaker’s North America business leaked around 26,000 unique customer records thanks to an unsecured Elasticsearch cluster, according to security researcher, Bob Diachenko.
He found 976 million records in total in the exposed database, including one million containing info about Honda owners and their vehicles — including names, contact details and vehicle information.
Although he was unable to confirm the volume of exposed records, Honda put the figure at just shy of 30,000.
“We are basing this number on a detailed review of the databases on this server, eliminating duplicate information and eliminating the data that does not contain consumer PII,” it said in a statement sent to Diachenko. “We can also say with certainty that there was no financial, credit card or password information exposed on this database.”
On the plus side, the company acted promptly to resolve the security issue, shutting the server on December 13, just a day after it was informed. However, it claimed the misconfiguration happened on October 21 and the database was first indexed by search engine BinaryEdge on December 4, leaving plenty of time for hackers to potentially scan for and find the trove.
Diachenko warned that it could be used to craft convincing follow-on phishing emails.
“The security issue you identified could have potentially allowed outside parties to access some of our customers’ personal information. We quickly investigated this issue, determined the specific breach in protocol, and took immediate steps to address the vulnerability,” the statement continued.
“Honda is continuing to perform due diligence, and if it is determined that data was compromised, we will take appropriate actions in accordance with relevant laws and regulations.”
The incident comes just months after Honda leaked 40GB of data on its internal security systems, via another unsecured Elasticsearch server.
A former IT administrator at Palo Alto Networks and four others have been charged with insider trading, in a three-year conspiracy said to have netted them over $7 million in profits.
According to a complaint filed by the SEC, Janardhan Nellore used his IT credentials and work contacts to access confidential information about his former employer’s financial performance and quarterly earnings.
He then allegedly traded Palo Alto Networks shares based on that information, and tipped off four friends: Sivannarayana Barama, Ganapathi Kunadharaju, Saber Hussain, and Prasad Malempati.
To cover up the scam, he is alleged to have told the group to use the code word “baby” to refer to the technology company’s stock. It’s also claimed that some of the group kicked back profits to Nellore in small sums to avoid scrutiny.
Nellore is said to have bought one-way tickets to India for himself and his family following an interview with the FBI, and was arrested at the airport. Reports suggest the group made over $7 million from insider trading activity that ran from 2015 to 2018.
“As alleged in our complaint, Nellore and his friends exploited Nellore’s access to valuable earnings information and attempted to hide their misconduct using code words and carefully tailored cash withdrawals,” said Erin Schneider, director of the SEC’s San Francisco Regional Office. “This case highlights our use of enhanced data analysis tools to spot suspicious trading patterns and identify the traders behind them.”
Nellore and Barama are also the subject of criminal charges issued by the US Attorney’s Office for the Northern District of California.
Insider trading is increasingly facilitated by unauthorized IT access to digital information. In January this year, two Ukrainian nationals were charged with hacking the SEC’s Electronic Data Gathering, Analysis and Retrieval (EDGAR) system, which stores documents related to company disclosures including test filings made before announcements go public.
They then allegedly sold this information to insider traders, making over $4 million in the process.
The FBI has issued a warning to holiday travelers not to use public Wi-Fi on the road this Christmas because of cybersecurity concerns.
As internet users cross countries and continents to be with friends and family over the holiday period, the Feds argued that Wi-Fi hotspots should be avoided.
“Don’t allow your phone, computer, tablet, or other devices to auto-connect to a free wireless network while you are away from home. This is an open invitation for bad actors to access your device. They then can load malware, steal your passwords and PINs, or even take remote control of your contacts and camera,” it said in a “Tech Tuesday” post this week.
“If you do need to connect to a public hotspot — such as at an airport or hotel — make sure to confirm the name of the network and the exact login procedures. Your goal is to avoid accidentally connecting to a fraudster’s Wi-Fi that they are trying to make look legit.”
If using a public hotspot is unavoidable, the FBI urged users not to log-in to any sensitive accounts like their online banking. Where possible, the Bureau advised individuals to use their smartphones as a private hotspot for other devices.
Although these best practices have long been promoted by the information security community, users, including business travelers, continue to expose themselves to unnecessary risks by using public Wi-Fi without adequate security.
A 2018 study from iPass revealed that 81% of global IT leaders had recorded staff Wi-Fi-related security incidents over the previous year.
VPNs are seen as the best way to ensure traffic and web browsing sessions are protected from Wi-Fi snoopers. However, UK IT leaders were least confident (38%) that their mobile workers are using a VPN every time they go online.
The FBI warning comes just weeks after LA County’s district attorney issued a public security notice warning people not to use public USB charging points for fear of so-called “juice jacking” malware attacks.
A bill designed to enhance the cybersecurity of K–12 schools was introduced to the US House of Representatives on Monday.
If passed into law, the K-12 Cybersecurity Act would require the Department of Homeland Security (DHS) to create a list of cybersecurity recommendations and a cybersecurity toolkit for educational institutions to use when making improvements to their cyber-protections.
The bill was introduced by Senators Rick Scott and Gary Peters, who both serve on the Senate Homeland Security Committee.
Peters, who also serves on the Governmental Affairs Committee, said: "Schools across the country are entrusted with safeguarding the personal data of their students and faculty, but lack many of [the] resources and information needed to adequately defend themselves against sophisticated cyber-attacks."
Support for the bill has been expressed by the National Education Association, the American Federation of Teachers, the National Association of Secondary School Principals, and the Consortium for School Networking.
It would further require the DHS to research and report back on the overall cyber-risks faced by schools.
Scott said: "The safety of our schools is always my top priority, and that includes protecting the information of our students and teachers. I’m proud to sponsor the K–12 Cybersecurity Act of 2019 to further protect our schools, students and educators, and give them the resources they need to stay safe."
The bill closely mirrors the State and Local Government Cybersecurity Improvement Act, which was introduced to the House in August but has yet to see any action.
According to data collected by Armor, over 1,000 schools in the United States have been affected by ransomware alone in 2019. In Louisiana, Governor John Bel Edwards declared a statewide emergency in July in response to ransomware attacks on three school districts.
It isn't just malware that poses a risk to American schools. In August 2019, a high school in Spotsylvania County, Virginia, wired $600,000 to a fraudulent football field turf provider after being deceived in an elaborate email phishing scam.
"School districts are a treasure trove for cyber-criminals seeking to pilfer valuable information, such as social security numbers and financial information until a ransom has been paid. From January through November of this year, SonicWall detected almost nine million intrusion attempts, demonstrating the tenacity and dedication of online threats and threat networks," commented Bill Conner, CEO of cybersecurity firm SonicWall.