We all know the consequences of a third party data breach; one vulnerability can cost your organization millions. But do you know what security measures to implement to successfully reduce your attack surface and prevent third party risk? Learn how in LookingGlass Cyber Solutions' webinar featuring VP of Intelligence Operations Eric Olson and Forrester Senior Analyst Nick Hayes on Wednesday, October 18, 1:30pm ET. Sign up now.
The Week that Was.
September 24, 2017.
By The CyberWire Staff
SEC breached in 2016; data used for illicit trades?
The US Securities and Exchange Commission (SEC), the stock market watchdog, announced on September 20, 2017, that it learned last month that intrusion into its EDGAR reporting system seems to have been used for illegal stock trading. The SEC knew in 2016 that EDGAR had been hit with unauthorized access; the news is that upon investigation it seems the intrusion may have enabled illicit gains. The disclosure appeared in a long statement by the SEC chair outlining the ways in which cyber security and resilience are important, and describing the Commission's assessment of its risk profile. Here are the relevant passages:
"Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems. In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities. As another example, our Division of Enforcement has investigated and filed cases against individuals who we allege placed fake SEC filings on our EDGAR system in an effort to profit from the resulting market movements.
"In addition, like other organizations, we are subject to the risk of unauthorized actions or disclosures by Commission personnel. For example, a 2014 internal review by the SEC's Office of Inspector General ("OIG"), an independent office within the agency, found that certain SEC laptops that may have contained nonpublic information could not be located. The OIG also has found instances in which SEC personnel have transmitted nonpublic information through non-secure personal email accounts." (SEC)
EDGAR (Electronic Data Gathering, Analysis, and Retrieval) is the SEC's central collection point for the filings public companies are required to submit. Congress and the Department of Homeland Security have raised concerns over SEC cyber risk before (Reuters).
There's no word, yet, on who hacked EDGAR, how they did it, or how they exploited their guilty knowledge for stock trading.
Regulations, laws, and the standards of care that follow them are shifting rapidly, struggling to keep up with new technologies and a continually changing threat landscape. In this increasingly complex environment, how can organizations manage risk systematically and effectively? Learn more about how organizations are achieving situational awareness, while automating the labor-intensive tasks associated with managing IT risk and compliance.
Equifax's earlier breach attracts belated notice.
This one apparently happened in March (Bloomberg). Early reports seemed to indicate that Equifax had kept that incident quiet, but that seems not to have been the case. The credit bureau did indeed sustain a breach in March, well before the incident disclosed on September 14, but the company did in fact disclose that breach in a relatively timely manner. The industry press picked it up; big media didn't (The Hill).
This attack is thought by some to have been carried out by the same group that hit the credit bureau later, through its unpatched Apache Struts implementation. But there's no clear attribution, yet. Some suggest that it was a state-sponsored attack, but that may be an instance of wishful thinking: most enterprises would rather say they'd been compromised by sophisticated spies than by common criminals or script-kiddie skids (Australian).
There has been some additional embarrassment in the course of the credit bureau's incident response. Equifax took to social media (Twitter, specifically) to advise concerned consumers where to turn for news and assistance. Unfortunately the company's tweets transposed the url and, for about two weeks directed people to a watering hole set up with just such typosquatting in mind. The good news is the watering hole was set up for research purposes, more or less, by a white hat developer who was curious how many people would show up at the bogus securityequifax2017.com instead of the genuine equifaxsecurity2017.com (Help Net Security).
The Register notes that Equifax last year began offering breach response preparation consulting. Among the advice it dispensed was that customers expected to be notified of a breach within hours of discovery.
The non-technical, non-engineering academic background of senior Equifax security executives has raised eyebrows, but consensus is that, on reflection, it's a false issue. There were no doubt many security failings in the company's culture and management, but degrees in music were not among them (Washington Post).
There's now a number associated with the number of Canadians affected by the breach: 100,000, according to Equifax's Canadian division (The Hill).
Class action suits and state investigations have begun (PRNewswire), and consensus among lawyers is that more regulation is coming (New York Law Journal). Representative Langevin (D-Rhode Island) reintroduced a Federal breach notification bill. Senators urge the Federal Trade Commission to open an inquiry (Housing Wire).
Join us for Networking the Future: October 27 in Tampa, FL.
Networking the Future, the Florida Center for Cybersecurity's fourth annual conference, will host hundreds of technical and non-technical stakeholders from industry, government, the military, and academia to explore emerging threats, best practices, and the latest research and trends. Learn more about how you can join us.
That other big breach, OPM's, is still being litigated.
Lawsuits against OPM and its contractors were dismissed Tuesday (The Hill). Appeals were filed within an hour of the dismissal, so this isn't over (National Law Journal).
Passionate about empowering women to succeed in the cyber security industry?
Join other like-minded businesses in sponsoring the CyberWire’s 4th annual Women in Cyber Security event on October 17, 2017 in Baltimore. This networking event highlights and celebrates the value and successes of women in the industry. Join CenturyLink, Cylance, Excelon, E8 Security, IBM, LookingGlass Cyber, BoozAllen, ClearedJobsdotnet, CyberPoint, CyberSecJobs, DeltaRisk, DefensePoint Security and Creatrix as a sponsor.
Viacom's exposed AWS S3 bucket.
UpGuard found it (Infosecurity Magazine). Among the items exposed were Viacom's cloud keys. UpGuard researchers found the exposure on August 30, and they describe it as having had the potential to enable "malicious actors to launch a host of damaging attacks, using the IT infrastructure of one of the world’s largest broadcast and media companies" (UpGuard).
Viacom acted promptly to secure its cloud infrastructure after UpGuard warned it, so the gaffe seems to have had little effect (BGR). The reputational damage of exploitation could have been great, to say nothing of the direct damage to the company and those who would have been touched by the botnets and attack platforms exploitation might have spawned.
It’s Casino Royale, but we’re betting on our Kids. Join approximately 300 Cyber Security experts, business leaders, and philanthropists for an inspirational evening of networking, dinner, and casino-themed entertainment—all to benefit Children's National Health System. Learn more about attending and supporting the White Hat Gala today.
NotPetya continues to affect the bottom line.
FedEx had a down quarter, due in part to hurricanes, but in part also to the effects of the pseudoransomware attack its TNT subsidiary sustained early this summer (Reuters). FedEx assessed losses NotPetya caused as running to $300 million. Part of their recovery plan is replacing TNT's legacy IT systems with current FedEx IT (BBC). Integration is now expected to cost FedEx $350 million, $75 million more than previous estimates (Reuters).
Costs of other incidents.
Small and medium businesses are being stung by ransomware to the tune of $301 million in extortion payments in 2016-2017 (Dark Reading). This does not include costs of recovery, lost business, and so on. There are signs, however, that businesses are more resolved to refuse payment.
According to a Kaspersky study, costs of a breach are up this year. The study also breaks out IT security budgets by amount spent per employee: government agencies spend $959, IT and telcos $1258, utilities $1344, and financial services companies $1436 (CSO).
NIST reflections on resilience.
The US National Institute of Standards and Technology (NIST) has published a study of means of achieving resilience, with comments on drafts. The study repays reading, especially given the prominence the NIST cyber framework assumed for the US Federal Government as a whole in the President's Executive Order on cybersecurity. The report is part of NIST's action under that Executive Order to promote resilience. There were six major findings: (1) The problem is global. (2) Effective tools for resilience are readily available. (3) Products must be secured through their entire lifecycle. (4) There are gaps in education and awareness. (5) Market incentives can conflict with resiliency goals. (6) Coordinated cross-sector action is needed.
WikiLeaks goes ай-ай-ай at Russia. (Not all are impressed.)
Early Tuesday WikiLeaks dumped documents purporting to reveal what may be one of the world's worst kept secrets: Russian intelligence services use Russian companies to aid them in surveillance and intelligence collection (TechCrunch). WikiLeaks released the details in "Spy Files Russia." Thirty-four documents describe a program that used the St. Petersburg telecoms software provider Peter-Service to establish a sweeping mass surveillance program.
From a Form Critical perspective the narrative is essentially the same one WikiLeaks extracted from Edward Snowden's leaks. In case you missed the connection, WikiLeaks helpfully points out that the whole thing looks a lot like an alleged US surveillance program. Indeed, the Russian documents represent practically a derivative product. One of the more interesting presentations is described as being essentially a defensive response to US efforts as described in the Snowden material. If the US was as capable as feared, what was Russia to do other than respond in kind? Thus the enlistment of a nominally private-sector company to serve as an adjunct to Russian security, law enforcement, and intelligence agencies. It's a parallel narrative: the baby face reluctantly responds in kind to the heel.
Observers are skeptical on a few levels (WIRED). WikiLeaks has long acted like a de facto Russian agent of influence even as the group has maintained its self-presentation as an independent and disinterested advocate of transparency and civil liberties. So these latest dumps seem nicely timed to portray an air of even-handedness. They are, however, unsurprising and fairly anodyne in their content, unlike the corrosive material Snowden delivered.
So you may take your pick: WikiLeaks really is independent and this is evidence of the fact, or, alternatively, the contents of Spy Files Russia amount to so much wolf meat tossed out to distract pursuers. In any case WikiLeaks seems determined to maintain the kayfabe that it's a face and not a heel. (Want to get your kayfabe right? Consult someone like Mr. Volkoff, or Colonel Ninotchka. The ShadowBrokers do this sort of thing better; one needs at least the Brokers' professional-wrestling-grade schtick if the audience is to achieve not necessarily credulity, but at least willing suspension of disbelief.)
Information operations (and a "Truth SWAT Team" is closing).
The Czech Centre against Terrorism and Hybrid Threats (Czech acronym CTHH) formed as a national debunking squad for disinformation, seems to have fallen short of its promise and will soon be shuttered (Foreign Policy). The asymmetric threat of information operations, of course, persists (Cipher Brief).
Twitter is going to appear (in the physical persons of its executives) before the Senate Intelligence Committee this coming week to testify about Russian influence operations (WIRED). Facebook's interactions with investigators have been pricklier: apparently catphish also have privacy rights, at least in St. Petersburg and Menlo Park.
False alarms and a cautionary tale of attribution.
Stanislav Petrov has died at the age of 77 (USA Today). An office in the PVO Strany, the Soviet Air Defense Forces, Petrov became a post-Cold War hero, credited with saving the world from nuclear war (Guardian). He was a lieutenant colonel on watch at a PVO Strany command center outside Moscow the night of September 26th, 1983, when satellite sensors reported multiple launches from the United States. His team was getting panicky, but Petrov wasn't convinced. Although the satellite attack phenomenology was considered high-confidence, he was unwilling to call for a retaliatory launch-on-warning. When ground radars saw nothing in-bound, Petrov convinced his superiors it was a false alarm. It turned out, of course, that it was. The satellite had misinterpreted sunlight glittering on the top of high clouds as a covey of American Minutemen inbound from the Great Plains.
This was a period of considerable tension. Just weeks earlier, on September 1st, a PVO Strany SU-15 interceptor had shot down Korean Air Lines Flight 007, a Boeing 747 en route from New York to Seoul, by way of Anchorage. KAL 007 had strayed into Soviet air space near Sakhalin Island. PVO Strany had observed it on radar and, becoming convinced it was an American RC-135 on a MASINT mission, shot the airliner down. All aboard were lost.
This is worth remembering as a timely reminder of the great and terrible consequences mistakes, confusion, and misattribution can have. We heard about the difficulties of attribution of cyber attacks from Thomas Rid this week at the Johns Hopkins University. It's a complex process, as much art as it is science, and we do well to approach it with a healthy degree of self-doubt, especially when the evidence, drawn from our fastest sensors, can seem to conform so readily to the picture we've formed of how things must be. So, as cyber attacks have increasingly serious physical consequences, and as we become ready to see them as acts of war, spare a thought for Lieutenant Colonel Petrov and remember how ambiguous that evidence can be. As a friend of Petrov's said, "We owe this man a lot" (Los Angeles Times).
The third quarter of 2017 has seen notable venture investment in cybersecurity (Dark Reading). A number of companies this week announced closing an investment round. Aqua Security has raised $25 million in Series B (Aqua Blog). Threat Stack announced a $45 million Series C round (BusinessWire). Jask has received an unspecified investment from Cylance founder and CEO Stuart McClure, who's also joined Jask's board (FinSMEs). inBay Technologies has closed a $1 million funding round (PRWeb). Digital Shadows has picked up $26 million in Series C (Startups). Securonix raised $29 million in a Series A round (FinSMEs). Capsul8 reports an $6 million Series A round led by Bessemer Venture Partners (Globe Newswire). Security-as-a-service provider Cygilant has raised $7 million in growth funding (FinSMEs). Bastille has picked up $27 million in Series B (PRNewswire). And MongoDB is filing an IPO (TechCrunch).
Some of these startups are making noticeable inroads into the market share of large, well-established companies (Forbes), and this may be driving acquisition activity. Value Walk sees a trend: older, larger tech companies buying cyber firms to push into the sector, especially where tech overlaps the defense and aerospace sector (Military Embedded Systems).
SecureAuth and Core Security announced their merger (pending appropriate regulatory approval). The new company intends to "combine network, endpoint, vulnerability and identity security, and offer the industry’s first identity-based security automation platform" (Infosecurity Magazine). They're working through a branding exercise for the new company, whose name and other branding elements have yet to be determined. And SecureAuth also says it's raised more than $200 million in support of expansion plans (SecureAuth). ManTech has announced its acquisition of InfoZen for $180 million; Washington Business Journal says the buy is a Federal IT modernization play. Microsoft's acquisition of Hexadite has drawn positive reviews as a sign of Redmond's growing seriousness about security (Computerworld). One acquisition that seems to be off the table is Symantec's long-rumored sniffing around Splunk (Bloomberg).
As promised, the US Department of Homeland Security has published more details on its ban of Kaspersky products (Federal Register). The Binding Operational Directive is less sweeping than it seemed at first. The ban doesn't apply to Kaspersky code that's "embedded in the products of other companies," nor does it cover Kaspersky's Threat Intelligence and Security Training services. Reviews of the action remain ambivalent. It's generally received strong support from within the US Government, and from some sections of US industry. Russia says it's a trade war, Kaspersky says he's caught in a crossfire, and some in the West suggest the ban sets a dangerous precedent (VAR Guy).
Today's issue includes events affecting Canada, Czech Republic, Russia, United Kingdom, United States.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.