Executive leadership has a lot to worry about.
The week that was.
Deloitte's bad week.
On Monday Big Four accounting firm and consultancy Deloitte was reported to have sustained a breach that exposed some—Deloitte said six—customers' sensitive information.
Like its Big Four peers, Deloitte is a leading provider of cybersecurity consulting services. The firm was compromised through an admin account in October or November 2016; it discovered the breach in March 2017. Affected clients were told they may have been "impacted."
Deloitte's Microsoft Azure account was apparently compromised. Azure is Microsoft's cloud service, similar to Amazon Web Services or Google Cloud. The admin account through which the hackers gained their entrée seems to have been secured by a simple password, and not with any form of multifactor authentication. Information exposed includes emails, possibly usernames and passwords, IP addresses, and business and health information. Some of the content at risk may include sensitive security and design information.
Observers believed something was up when Deloitte retained Washington law firm Hogan Lowell at the end of April in connection with an unspecified cybersecurity matter (Guardian).
Survey says: frameworks are good, compliance could be better.
SEC breach update.
The US Securities and Exchange Commission (SEC) got its expected wirebrushing from Congress this week over last year's EDGAR breach, which the SEC decided this month may well have been used to facilitate illicit trades. Of particular interest was the SEC's planned Consolidated Audit Trail (CAT), a kind of cyber panopticon for the financial markets (New York Times). Observers regard the CAT as powerful tool for enforcement and compliance, and also a complex and extremely attractive target for attackers.
Interested in the latest research in cyber security?
Equifax and the lessons of incident response.
Equifax CEO and chairman Richard Smith retired Tuesday in an apparent gesture of atonement for the company's massive data breach. Paulino do Rego Barros Jr. has been appointed interim CEO; Mark Feidler will become non-executive chairman. Thus Smith joins the CIO and CSO in breach-linked retirement (TechCrunch). The company says Smith and the board “expressly agreed to defer any formal characterization of his departure and the determination of any payments or benefits” Smith may be owed until after the review of the data breach.
Equifax continues to receive very harsh reviews for incident response, as experts warn all to brace for a breach-enabled cybercrime wave. The McClatchy news service offers a dismally probable list: stealing your tax refund or social security check; get a second mortgage on your house; rent a car while pretending to be you (and then wreck that car); buy a gun in your name.
The incident should prompt serious examination of identity management. The old, familiar forms of establishing that you are who you say you are obviously no longer remotely adequate.The Equifax breach has produced consensus on at least one point: Social Security Account Numbers can't serve as linchpins of identity anymore, and it was a questionable practice from the start (CNBC). (The old cards used to say, prominently, "not to be used for identification," which suggests this might have been clear to people as early as 1936. We seem to have forgotten that advice.)
Another lesson learned is the importance of timely disclosure. To be sure there are reasons to wait until you're sure something has happened, and until you're reasonably sure the attackers won't profit by disclosure, but Federal News Radio puts it this way, in a piece aimed mostly at government workers, but with broader applicability as well:
"First, go public with breaches as soon as you can. Otherwise, it looks like you’re covering up. Crappy cyber practices eventually come to light anyhow. You don’t need a $5,000 a day crisis management expert to tell you that. Second, realize that bad cybersecurity is as inimical to your job as crashing the mission."
At midweek Equifax's interim CEO has offered people affected by the breach a free lifetime credit freeze, with the ability to lock and unlock it at will. Fortune thinks it's too little, too late. New York's Department of Financial Services has subpoenaed the credit bureau as it continues to dig into the incident (BankInfo Security).
Attribution is of course always interesting in cases like this. The potential for criminal exploitation of the personal data stolen in this case is very large, but some observers think there are early signs of state-sponsored espionage in the incident. Insofar as such evidence has been publicly discussed, it's circumstantial and ambiguous (Bloomberg).
Do you know the best practices for applying threat intelligence?
Truth and lies in an operational sense.
Chancellor Merkel was returned to office (with a coalition shifted a bit to the right) in Sunday's German elections. The widely expected Russian election-hacking and influence operations, after a brief flurry of escapes a few months ago, seems not to have materialized (Anomali).
A leading purveyor of fake news, or of satire that was retailed as real news by the man's political opponents, has died of an apparent accidental drug overdose (BBC). Paul Horner, who reached his sad end this week, had used his Facebook pages and multiple websites to push bogus stories about Democrats in the hope that they'd be picked up as real by Republicans, who would thereby be discredited as gullible consumers and purveyors of what came to be called "fake news." At least one of his stories was widely repeated: it told of protesters being paid $3000 to harass then-candidate Donald Trump. (Confirmation bias has afflicted people forever.)
Former Secretary of Homeland Security Jeh Johnson told Congress Thursday that he's not aware of any successful vote manipulation or voter suppression in the 2016 US elections that can be attributed to hacking. He does, however, think that certain vulnerabilities came to light that need to be addressed (Washington Examiner).
Election influence can resemble traditional institutional corruption, as it does in a current prosecution involving improper agency interference in the Republic of Korea's 2012 presidential election (KBS). The ROK's Cyber Command is said to have run a private news service with the support of the National Intelligence Service (Hankyoreh).
Zuckerberg says there's no bias at Facebook (The Bull). But social media have become influential in shaping political opinion (Times). Russian intelligence services have been early to realize this, and to have sought to insinuate themselves into social media conversations designed to inflame divisions among various American groups, social, religious, ethnic, and so on (Washington Post). Their goal seems fairly clear: disruption and erosion of trust, not the election of any particular slate of candidates (Times). Facebook's design itself may render exploitation easy (WIRED). And specialized tools capable of manipulating likes are out in the wild: "Faceliker" malware's use is on the rise (Bleeping Computer). Another good indicator of influence operations in social media is botnet activity, now being observed in the NFL take-a-knee controversy (Medium).
Activists are being subjected to phishing from various sources (Help Net Security), and it's important to note that not all the threat actors involved are Russian organs. People continue to grope toward technical solutions to this problem, but there seem few obvious technical remedies (Foreign Affairs). And those offering bogus narratives work to fit the disinformation into a credible framework, surrounding the lies with a body guard of truth. For examples true in detail, false in import, RT exhibits a nice cageful here.
Passionate about empowering women to succeed in the cyber security industry?
Whole Foods disclosed this week that it's been breached, with the usual exposure of paycard data. The breach is said to have been confined to taprooms and sit-down full-service restaurants found in some of their stores, so Whole Foods thinks the damage may be relatively limited (Whole Foods). They also stress that only the upscale market chain was affected, not Whole Foods' new corporate parent, Amazon (Computing).
Drive-in chain Sonic also disclosed a paycard breach this week, thought to affect millions of cardholders. The company was alerted to the problem after financial institutions began noticing apparently fraudulent transactions last week. Some of the stolen cards have shown up for sale in the Joker's Stash criminal souk (KrebsOnSecurity). Investors have registered their displeasure, and Sonic's share price has dropped (Fortune).
Patches are out (but some are still leaky).
A Chrome update fixes some critical issues, most prominently CVE-2017-5121 and CVE-2017-512, both of which permitted out-of-bounds access in V8 (Chrome Releases).
Microsoft's Office and Windows patches get mixed reviews. September's fixes required two cumulative updates this past Monday. It's not immediately clear to reviewers whether the updates addressed problems overlooked or imperfectly handled earlier in the month, or if they took care of bugs the earlier patches themselves induced (Computerworld).
Apple is said to have "quietly patched" a security bypass flaw in MacOS (Security Week). Researchers at Duo Security announced Friday that they've found a serious and unpatched firmware flaw in the latest versions of MacOS (Duo).
A long-known Linux issue has been reclassified as a bug, and fixed. The flaw could enable privilege escalation attacks (Wccftech).
Stock trading apps are a little too wildcat.
Mobile stock trading apps have shown worrisome security holes for some time (Naked Security). On Wednesday IOActive released the results of a study it conducted into the security of twenty-one leading apps and found that matters have gotten worse since a similar study in 2013 (Infosecurity Magazine). Checking the software against fourteen security controls, IOActive found that 95% of the apps tested failed privacy, 62% had issues validating SSL certificates, 67% failed to store data securely, 95% flunked root detection, and 19% exposed passwords in plaintext. IOActive disclosed its findings privately to the vendors involved early in September. The researchers were disappointed in the response. Of the thirteen vendors they contacted, only two bothered to reply (ZDNet).
DDoS and ransomware can be business-killers.
As businesses now generally depend upon online availability, disruption of a reliable Internet presence has become a matter of survival (Computing). Ransomware and denial-of-service for extortion are increasingly common criminal tactics.
Ransomware continues to trend upward (Dark Reading). Comodo has found that the latest versions of Locky hitting targets in September are able to evade some of the machine learning tools put in place to detect and stop them (Dark Reading).
More cyber extortion waves continue. One of the more notable is a large spam campaign distributing the venerable Locky ransomware. Another is more of a protection racket—the crooks of the Phantom Squad group are shaking down companies with the threat of denial-of-service attacks if they don't pay up. DDoS prevention shop CloudFlare says it's about to launch a new service that will make distributed denial-of-service something you only read about in history books (Forbes). Good luck to them; we hope they're as good as their word, and will watch developments with interest.
What do GDPR and Y2K have in common?
They're both cash cows, according to one expert (Computing). Y2K, the Millennium Bug, was a widely feared problem that came to prominence when people realized that most 20th-Century software represented the year with only the last two digits: thus the year 2000 would be indistinguishable from the year 1900, and much chaos was envisioned. Some nations spent a lot of time and money trying to head the problem off; others shrugged and did little. When 2000 arrived, nothing much seemed to happen, but by that time a lot of retired COBOL programmers surely had fatter wallets.
GDPR is coming next May, and its heavy regulatory hand is much feared, probably with considerable justification. The similarity isn't that both fears are equally unfounded, but rather that the fear will enrich those who can (or say they can) assuage it.
Why the wave of breaches from AWS and other cloud services?
People don't secure their buckets (SC Magazine). It's too easy to regard the cloud as a set-it-and-forget affair, but you can't treat it like a toaster oven. Boards, C-suite, make sure you ask your IT people how they're using the cloud.
The Singularity as the Omega Point.
Erecting a virtual golden calf atop an altar of self-driving cars, Anthony Levandowski has founded a religion, Way of the Future, to prepare for the emergence of the (a?) godhead through artificial intelligence (WIRED). Strong AI does seem driven at least as much by mythos as mathematics (we've heard Olaf Stapeldon cited as a prophet). For different imaginative views of this prospect, see these alternatives.
Crime and punishment, courts and torts.
The big picture seems to be that cybercrime is a runaway problem that law enforcement has yet to come to grips with. That, anyway, is the view from Europol.
Carlos Danger, as former US Representative Anthony Wiener (D-New York) called himself when he was in a frisky mood, received his sentence Monday morning after conviction for exchanging lewd texts and images with a minor. Señor Danger will be doing "hard time," as the New York Post put it: twenty-two months to be served at a Club Fed, probably one in Pennsylvania (New York Times).
Imram Awan, the former Congressional staffer now facing bank fraud charges and widely suspected of involvement in other alleged chicanery, has been defended by some of his former Capital Hill patrons as he sits in jail. The data he downloaded from House servers, they've said, was nothing sensitive, just photos and his elementary-school-aged children's homework (Washington Post). Given that the downloads apparently amounted to "terabytes" (or "terabits," sources differ) we can only observe with wonder that the DC grade-school teachers must be really strict (Daily Caller).
Accused NSA leaker Reality Winner petitioned for pre-trial release (Atlanta Journal-Constitution). Prosecutors are using her own words to the FBI special agents who arrested her to press for continued confinement. They argue that she's a flight risk and a very attractive target for recruitment by foreign intelligence services (Military Times). Winner's receipt and maintenance of a security clearance presents a strong case that the US personnel security system indeed needs some sort of reform. Intelligence Community leaders are calling for it, but beyond replacing expensive and time-consuming regular reinvestigation with some form of continuous monitoring (SIGNAL), details on what else the reform might involve remain sketchy.
A former US Army contractor has been convicted of deliberately installing malicious code into a Service payroll system at Fort Bragg. Apparently an ill-conceived prank prompted by contract loss or novation, it cost millions to remediate: the man convicted, Mittesh Das, uploaded the virus a few days before the company he worked for was due to hand the work over to another firm. The judge explicitly told Mr. Das it wasn't funny (Army Times).
The House is said to have received a classified briefing on Kaspersky, and why the Government has moved to exclude the company's software from its networks. Kaspersky continues to insist it has no sinister ties to any intelligence agency (Bloomberg). Publicly, explanations for the ban have concentrated on Russian legal requirements that companies cooperate with security services.
Some analysts think they discern early signs that Palo Alto Networks may be interested in growth through acquisition (Investor's Business Daily).
Two festive notes for our readers: A happy fiscal new year to the US Federal Government and its contractors. (The season is marked by Father Time and both houses of Congress with the traditional continuing resolution. And program managers, we trust you were all fully obligated by May, so there was none of that last-minute purchasing that's the stuff of urban legend.) Also, October is National Cyber Security Awareness Month. Patching, planning, and practicing are good ways to celebrate with awareness.
This CyberWire look back at the Week that Was discusses events affecting China, European Union, Republic of Korea, Pakistan, Russia, United States.
© 2018 CyberWire, Inc.
Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story.