A major breach in SingHealth developed over the weekend, affecting approximately 1.5 million citizens of Singapore. The data, which were taken over a period of eight days before the exfiltration was discovered, included name, National Registration Identity Card (NRIC) number, address, gender, race, and date of birth. For some 160 thousand patients, the data taken included details of medicines they'd received (OpenGovAsia). Singapore officials, while acknowledging the value the data could have if monetized by criminals, think the operation was run by a nation-state (Channel News Asia). Many have praised the government's response (Bleeping Computer) but the incident has prompted calls for a reboot of Singapore's Smart Nation initiatives (Straits Times). Part of the response to the breach was to disconnect healthcare systems from the Internet. This has caused some inconvenience to patients and customers, but the affected organizations are making do with a variety of backups (Straits Times).
Find out how you can be equipped with a continuous 360° view of which critical assets are at risk, what security issues you should focus on, and how best to harness your resources to resolve them. Simulate, validate and remediate every hacker’s path to your organizational critical assets.
Third-party data breach affects major manufacturers.
UpGuard reported that Level One Robotics, which supplies major industrial firms, left 157GB of data exposed on a publicly accessible server. Data from VW, Chrysler, Ford, Toyota, GM, Tesla, and ThyssenKrupp included assembly line schematics, plant floor plans, robotic configurations, request forms for ID badges and VPNs, and non-disclosure agreements. The data also include personal information on Level One employees and some Level One business data, including contracts, details of bank accounts, and invoices (CSO).
What do Floppy Disks, Han Solo, and Insider Threats Have in Common?
Visit the ObserveIT booth at Black Hat USA to find out! They’re going back to the 80s to reminisce about throwback technology and show you how to take a 21st-century approach to your insider threat management strategy—so you don’t have to be stuck in the past with your DLP and Flock of Seagulls haircut. And before you head out to Vegas, take ObserveIT’s quiz on which 80’s pop culture icon best represents your insider threat management strategy.
US concerns about Russian cyber battlespace preparation remain high.
The US Department of Homeland Security is describing extensive battlespace preparation against electrical power infrastructure control centers (Fifth Domain). The Department's NCCIC began a series of webinars on the threat that will continue into the coming week (US-CERT). Industry sources vigorously second the warnings. Security industry comments run along the lines of "this is the new normal" (Nozomi) to "we've known this for years—why now" (Control Global). Such alerts have been sounded for some years, but they're being delivered with unusual urgency now.
2017 cyberattacks proved more numerous, sophisticated, and ruthless than in years past.
WannaCry, NotPetya, ransomware-as-a-service, and fileless attacks abounded. And, that’s not everything. The victims of cybercrime ranged from private businesses to the fundamental practices of democracy. Read The Cylance Threat Report: 2017 Year in Review Report and learn about the threat trends and malware families their customers faced in 2017.
ERP systems under attack.
The US Department of Homeland Security's US-CERT has warned businesses that hackers are actively targeting SAP and Oracle enterprise resource planning (ERP) applications. The warning from US-CERT was prompted by release of research by Onapsis and Digital Shadows. Hundreds of thousands of ERP implementations worldwide handle sensitive company data, and the researchers note that "an astonishing number" of those implementations are insecure. Attacks have risen, and so has black market interest in ERP attack tools.
Obtain full visibility into your security team with Cybrary.
It’s easy to track, measure, improve and grow your security team with Cybrary’s business platform. Not only will your team have access to an expansive catalog of IT and Cyber Security learning resources, you can operate more efficiently with full visibility, without compromising company standards. Start your team's free training pilot today!
Maritime sector ransomware incident.
Shipper Cosco was hit by an apparent ransomware attack this week (Threatpost). The incident began at Cosco's Long Beach, California, terminal, but quickly spread to other areas (MarineLog). Business networks and phones were affected, and Cosco says there was no risk to safety of navigation. The shipping company seems to have been resilient enough to work through the attack, saying by midweek that it was back to "business as usual" (Loadstar). There's little known about the details of the attack, nor is there any attribution. The industry press has drawn comparisons to Maersk's experience with NotPetya in 2017 (Seatrade Maritime News), but Cosco appears to be weathering this storm better than Maersk did. Its workarounds have included some creative use of Facebook and Twitter (Loadstar).
Patches and updates.
As long promised and expected, on Tuesday Chrome began to flag http sites as "not secure" (BBC). There were other improvements to Chrome 68 as well, but the nudge toward general encryption seems the most significant change (Bleeping Computer).
The Bluetooth man-in-the-middle bug receives more fixes. These will be issued vendor-by-vendor (Register).
Crime and punishment.
The Russian hacker facing charges in connection with breaching LinkedIn, Yevgeniy Nikulin, is said to be refusing to cooperate with his defense attorneys, and has been placed on suicide watch because of his lack of communication. Mr. Nikulin has entered a plea of not guilty (CyberScoop).
An unusually clueless but connectivity-obsessed burglar, masked and everything, broke into a Palo Alto couple's home in the middle of the night, entering their bedroom to wake them up and ask for their WiFi password because he was "out of data." Police haven't released his name, because he's just seventeen and therefore a minor (Ars Technica).
Courts and torts.
The National Bank of Blacksburg suffered two series of cyber robberies, enabled by successful phishing that gave the hackers (thought to be a Russian gang) access to Blacksburg accounts through ATMs. The bank is taking Everett National Insurance to court for failing to cover the full $2.4 million loss. The policy Blacksburg had with Everett had two riders: a “computer and electronic crime” rider with a single loss limit liability of $8 million and a $125 thousand deductible, and a "debit card rider," which limited single loss liability to $50 thousand with a $25 thousand deductible and an aggregate limit of $250 thousand. The bank complains that the insurance company regarded the crimes as covered by the debit card rider, presumably since they involved ATM exploits (KrebsOnSecurity).
Policies, procurements, and agency equities.
Germany's Interior Ministry has renewed a push for Bundestag action on legislation that would authorize retaliatory cyber action against nation-state attacks (Reuters).
A Canadian federal court has denied the Canadian Security Intelligence Service (CSIS) a warrant to collect overseas. It can develop intelligence against foreign targets, but only through domestic collection (unless national security is at stake, ceteris paribus, etc.) (Straits Times).
In the US, the Defense authorization bill will have interesting implications for national cyber policy (Fifth Domain). Artificial intelligence and machine learning also receive Congressional attention (C4ISRNET).
And warnings of Russian incursion over the last several years into American power grid facilities have considerably exercised Congress, which heard testimony on the threat Tuesday from Homeland Security Under Secretary Christopher Krebs. Anger over Russian influence operations directed toward elections runs high (Military.com).
Rapid acquisition of swiftly evolving technologies has long been a challenge for the US Department of Defense, operating as it does with a procurement system designed for legalistic procedural equity and the avoidance of petty fraud, waste, and abuse. It's well-suited, some say, to purchasing things like large warships, but cumbersome when it comes to getting new technology to operators. Other Transaction Authorities (OTAs) have seen some use in procuring cyber systems. US Cyber Command, which now has certain procurement authorities, intends to make more use of them, and it's also looking at the "IT box construct" as a way of circumventing traditional obstacles to rapid acquisition (Fifth Domain). There's widespread skittishness over the way the Department of Defense has used OTAs. The range of estimates of how much has been spent under OTAs over the last three years ranges from the $4.2 billion offered by the Federal Procurement Data System to the $21 billion reported by DoD public affairs officers, which indicates speed of acquisition may be accompanied by murky controls (Federal News Radio).
Other US agencies are also making use of OTAs in the cybersecurity sector. The Department of Homeland Security's Science and Technology Directorate's Silicon Valley Innovation Program (SVIP), whose current solicitation may be found here, is closer to the original prototyping intent of OTAs.
It's not just technology that's in flux. Cyber operational doctrine is, too. It needs to respond to technological advance, but also to changing conceptions of conflict in cyberspace. US Army Cyber Command leaders told the Association of Old Crows last week that cyber doctrine probably needs to be updated every eighteen months (Fifth Domain). One near-term doctrinal shift may be toward a more aggressive posture: US Cyber Command leader General Nakasone would like to see his command become more assertive in cyberspace (Fifth Domain). Putinist outlet RT notes signs of this shift in the formation of the Russia Small Group within Nakasone's fiefdom.
The US Department of Justice, for years the leading dead-ender in the crypto wars, at least in the Western Hemisphere, is preparing another offensive. The axis of advance will be responsible encryption (Washington Post).
The US National Security Agency has received a starchy report from its Inspector General, which found that the agency's analysts performed searches under NSA's Foreign Intelligence Surveillance Act Authority that were "noncompliant." The IG cites "human error, incomplete understanding of the rules, and gaps in guidance" as the causes of the lapses (Fifth Domain).
Fortunes of commerce.
The current US-election-driven bull market in cybersecurity stocks seems likely to have at least a couple of months left to run, depending upon what happens between now and November (Nasdaq). Specialized cyber Exchange Traded Funds (ETFs) are attracting some analysts' attention as an attractive play on the sector's fortunes (Seeking Alpha).
The $5.1 billion charge Alphabet, Google's corporate parent, took to cover its EU fines erased two-thirds of the company's second quarter profits, but those underlying profits were so good, beating analysts' forecasts by 20%, that investors found it easy to look past the regulatory action (Times). The company continued to come in for criticism on Capitol Hill. It enables and collaborates with Chinese government surveillance while piously declining to work with the US Department of Defense, which is roughly how Senator Marco Rubio (Republican of Florida) expressed it (Washington Examiner).
Facebook did not have a good week. The bill for data handling and privacy issues seems to have finally come due (WIRED). The company sustained the largest single-day loss in the history of US stock markets (CNBC).
Twitter's week was also shaky, despite revenue being up (TechCrunch). It's lost a million users this quarter, many of them bots and various bogus accounts the company itself purged, but investors are skittish, and the share price dropped sharply on the news (Wall Street Journal). And between Facebook and Twitter, cue the tipsheet freakout over a social media "tipping point" (Zacks).
Tenable had a very good week. The Maryland-based cybersecurity company, best known for Nessus, went public Thursday. Its shares closed up 31%. The company had hiked its initial share price to $23 (up from the expected range of $20 to $22) shortly before it began trading. The company raised $250 million in its IPO. Tenable now trades on the Nasdaq, ticker symbol TENB (CNBC). Investors like the company's subscription-based model enough to give it a market cap of around $3 billion (Seeking Alpha).
IBM is getting some favorable attention from the markets, and Big Blue says this is due to its successful strategic shift into new areas, including AI and security. Skeptics think it's stronger mainframe sales, as if there's something wrong with that (Register).
Privacy regulations (and staff charged with ensuring compliance) increasingly influence and often determine the security technologies companies adopt (Help Net Security).
Booz Allen Hamilton has been awarded a $92 million task order by the US Navy to secure maritime cyber systems (GovConWire).
Salient CRGT has received a $34 million IT task order to support the US Defense Technology Security Administration. The work will include information security services (PRNewswire).
ZTE's lifeline comes priced at a cool $1.4 billion in penalties, as negotiated with the US Department of Commerce (Global Trade). It seems to have been worth it, for ZTE at least (Fifth Domain). How long that lifeline will hold is unknown: the US House passed its version of the 2019 Defense Appropriations Act this week, and it included provisions that would bar Defense purchasing from many Chinese companies, including ZTE (South China Morning Post).
The labor market.
Her Majesty's Government continues to evince concern about the future of the cybersecurity professions and the supply of qualified labour (Personnel Today). They've undertaken a nationwide consultation on the health of the workforce. You'll be able to offer your two pence until the end of August, cousins (Infosecurity Magazine).
If there's a cybersecurity labor shortage, what positions are tough for organizations to fill? Here's a note on what information security experts actually do (CNBC). Part of the problem may still be, as improbable as it might seem to those working in the sector, that people are unfamiliar with opportunities in the field (Moneyish).
It can be difficult to identify who actually works in security, as journalistic inquiries into the recent ComplyRight breach seem to indicate. Brian Krebs, at least, has been looking for members of the HR company's security team, but with no joy (Infosecurity Magazine). Is that a bug or a feature? Perhaps an HR firm might not be expected to be coy about who runs its security, but at least a few organizations in the security sector are.
Deloitte's Women in Cyber initiative is intended to increase opportunities for women in the sector (Accountancy Age).
Mergers and acquisitions.
Gigamon has acquired ICEBRG, a start-up that specializes in threat detection and triage. Gigamon sees it as a play in simplifying the security stack, and as a way of improving its position in the cloud-based data management and network security as a service markets (PRNewswire). The companies managed service provider partners are expected to find the new capabilities particularly attractive (Channelnomics).
Thales says its purchase of Gemalto is right on track (Reuters). It won't, however, be entirely free of regulatory scrutiny: citing the potential for higher prices, reduced customer choice, and inhibited innovation, the European Commission has opened an anti-trust inquiry into the proposed acquisition (Europa).
Sources tell Reuters that Verint's projected acquisition of NSO Group is off. The reasons are unclear, but it's believed NSO's founders have opposed the merger, which was favored by the company's majority owner Francisco Partners (Times of Israel).
Kape Technologies has acquired Seattle-based Intego for $16 million. The acquisition of Intego is an IoT security play for Israel-based Kape (Globes).
Imperva is buying devops security shop Prevoty, in whose application-level security expertise Imperva sees great promise (BusinessWire).
San Francisco-based Cyberfort Software announced its intention to grow through acquisition (Globe Newswire).
Investments and exits.
CyberMDX, a medical cybersecurity shop based in New York, has raised $10 million in Series A (Alley Watch).
Siemplify, of New York and Tel Aviv, closed a $14 million Series B round led by Jump Capital and joined by existing investors G20 Ventures and 83North. The company intends to use the funding to meet growing demand for security orchestration, automation, and response (Siemplify).
Accenture has formed an alliance with Ripjar, and solidified that alliance with an investment in the analytics company. The goal of the alliance is access to Ripjar's Labyrinth intelligence platform, which Accenture sees as valuable to its work in detecting financial crime, public safety threats, and cyber incidents in client engagements (Help Net Security).
And security innovation.
Novetta has established a machine-learning center of excellence (PRNewswire).
British Columbia-based Plurilock Solutions has received a $200 thousand award from the US Department of Homeland Security's Science and Technology Directorate to develop an identity management platform that would contribute to IoT security. The award was made under the Directorate's Silicon Valley Innovation Program (Newswise).
MACH37 has opened applications for its next class of startups. The Fall 2018 cohort rolls up its sleeves on September 24th. To get in on it, MACH37 advises applying before August 27th (Globe Newswire).
Today's issue includes events affecting Canada, China, German, Israel, Russia, Singapore, United Kingdom, United States.
ON THE PODCAST
Research Saturday is up. We speak with researchers at Defiant who recently analyzed a malware family they named "BabaYaga," which has the curious behavior of clearing out other malware and keeping infected sites up-to-date. Brad Hass is a senior security analyst at Defiant, and he guides us through their findings.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.