SEC breached in 2016; data used for illicit trades?
The US Securities and Exchange Commission (SEC), the stock market watchdog, announced on September 20, 2017, that it learned last month that intrusion into its EDGAR reporting system seems to have been used for illegal stock trading. The SEC knew in 2016 that EDGAR had been hit with unauthorized access; the news is that upon investigation it seems the intrusion may have enabled illicit gains. The disclosure appeared in a long statement by the SEC chair outlining the ways in which cyber security and resilience are important, and describing the Commission's assessment of its risk profile. Here are the relevant passages:
"Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems. In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities. As another example, our Division of Enforcement has investigated and filed cases against individuals who we allege placed fake SEC filings on our EDGAR system in an effort to profit from the resulting market movements.[3]
"In addition, like other organizations, we are subject to the risk of unauthorized actions or disclosures by Commission personnel. For example, a 2014 internal review by the SEC's Office of Inspector General ("OIG"), an independent office within the agency, found that certain SEC laptops that may have contained nonpublic information could not be located.[4] The OIG also has found instances in which SEC personnel have transmitted nonpublic information through non-secure personal email accounts." (SEC)
EDGAR (Electronic Data Gathering, Analysis, and Retrieval) is the SEC's central collection point for the filings public companies are required to submit. Congress and the Department of Homeland Security have raised concerns over SEC cyber risk before (Reuters).
There's no word, yet, on who hacked EDGAR, how they did it, or how they exploited their guilty knowledge for stock trading.
Equifax's earlier breach attracts belated notice.
This one apparently happened in March (Bloomberg). Early reports seemed to indicate that Equifax had kept that incident quiet, but that seems not to have been the case. The credit bureau did indeed sustain a breach in March, well before the incident disclosed on September 14, but the company did in fact disclose that breach in a relatively timely manner. The industry press picked it up; big media didn't (The Hill).
This attack is thought by some to have been carried out by the same group that hit the credit bureau later, through its unpatched Apache Struts implementation. But there's no clear attribution, yet. Some suggest that it was a state-sponsored attack, but that may be an instance of wishful thinking: most enterprises would rather say they'd been compromised by sophisticated spies than by common criminals or script-kiddie skids (Australian).
There has been some additional embarrassment in the course of the credit bureau's incident response. Equifax took to social media (Twitter, specifically) to advise concerned consumers where to turn for news and assistance. Unfortunately the company's tweets transposed the url and, for about two weeks directed people to a watering hole set up with just such typosquatting in mind. The good news is the watering hole was set up for research purposes, more or less, by a white hat developer who was curious how many people would show up at the bogus securityequifax2017.com instead of the genuine equifaxsecurity2017.com (Help Net Security).
The Register notes that Equifax last year began offering breach response preparation consulting. Among the advice it dispensed was that customers expected to be notified of a breach within hours of discovery.
The non-technical, non-engineering academic background of senior Equifax security executives has raised eyebrows, but consensus is that, on reflection, it's a false issue. There were no doubt many security failings in the company's culture and management, but degrees in music were not among them (Washington Post).
There's now a number associated with the number of Canadians affected by the breach: 100,000, according to Equifax's Canadian division (The Hill).
Class action suits and state investigations have begun (PRNewswire), and consensus among lawyers is that more regulation is coming (New York Law Journal). Representative Langevin (D-Rhode Island) reintroduced a Federal breach notification bill. Senators urge the Federal Trade Commission to open an inquiry (Housing Wire).
That other big breach, OPM's, is still being litigated.
Lawsuits against OPM and its contractors were dismissed Tuesday (The Hill). Appeals were filed within an hour of the dismissal, so this isn't over (National Law Journal).
Viacom's exposed AWS S3 bucket.
UpGuard found it (Infosecurity Magazine). Among the items exposed were Viacom's cloud keys. UpGuard researchers found the exposure on August 30, and they describe it as having had the potential to enable "malicious actors to launch a host of damaging attacks, using the IT infrastructure of one of the world’s largest broadcast and media companies" (UpGuard).
Viacom acted promptly to secure its cloud infrastructure after UpGuard warned it, so the gaffe seems to have had little effect (BGR). The reputational damage of exploitation could have been great, to say nothing of the direct damage to the company and those who would have been touched by the botnets and attack platforms exploitation might have spawned.
NotPetya continues to affect the bottom line.
FedEx had a down quarter, due in part to hurricanes, but in part also to the effects of the pseudoransomware attack its TNT subsidiary sustained early this summer (Reuters). FedEx assessed losses NotPetya caused as running to $300 million. Part of their recovery plan is replacing TNT's legacy IT systems with current FedEx IT (BBC). Integration is now expected to cost FedEx $350 million, $75 million more than previous estimates (Reuters).
Costs of other incidents.
Small and medium businesses are being stung by ransomware to the tune of $301 million in extortion payments in 2016-2017 (Dark Reading). This does not include costs of recovery, lost business, and so on. There are signs, however, that businesses are more resolved to refuse payment.
According to a Kaspersky study, costs of a breach are up this year. The study also breaks out IT security budgets by amount spent per employee: government agencies spend $959, IT and telcos $1258, utilities $1344, and financial services companies $1436 (CSO).
NIST reflections on resilience.
The US National Institute of Standards and Technology (NIST) has published a study of means of achieving resilience, with comments on drafts. The study repays reading, especially given the prominence the NIST cyber framework assumed for the US Federal Government as a whole in the President's Executive Order on cybersecurity. The report is part of NIST's action under that Executive Order to promote resilience. There were six major findings: (1) The problem is global. (2) Effective tools for resilience are readily available. (3) Products must be secured through their entire lifecycle. (4) There are gaps in education and awareness. (5) Market incentives can conflict with resiliency goals. (6) Coordinated cross-sector action is needed.
WikiLeaks goes ай-ай-ай at Russia. (Not all are impressed.)
Early Tuesday WikiLeaks dumped documents purporting to reveal what may be one of the world's worst kept secrets: Russian intelligence services use Russian companies to aid them in surveillance and intelligence collection (TechCrunch). WikiLeaks released the details in "Spy Files Russia." Thirty-four documents describe a program that used the St. Petersburg telecoms software provider Peter-Service to establish a sweeping mass surveillance program.
From a Form Critical perspective the narrative is essentially the same one WikiLeaks extracted from Edward Snowden's leaks. In case you missed the connection, WikiLeaks helpfully points out that the whole thing looks a lot like an alleged US surveillance program. Indeed, the Russian documents represent practically a derivative product. One of the more interesting presentations is described as being essentially a defensive response to US efforts as described in the Snowden material. If the US was as capable as feared, what was Russia to do other than respond in kind? Thus the enlistment of a nominally private-sector company to serve as an adjunct to Russian security, law enforcement, and intelligence agencies. It's a parallel narrative: the baby face reluctantly responds in kind to the heel.
Observers are skeptical on a few levels (WIRED). WikiLeaks has long acted like a de facto Russian agent of influence even as the group has maintained its self-presentation as an independent and disinterested advocate of transparency and civil liberties. So these latest dumps seem nicely timed to portray an air of even-handedness. They are, however, unsurprising and fairly anodyne in their content, unlike the corrosive material Snowden delivered.
So you may take your pick: WikiLeaks really is independent and this is evidence of the fact, or, alternatively, the contents of Spy Files Russia amount to so much wolf meat tossed out to distract pursuers. In any case WikiLeaks seems determined to maintain the kayfabe that it's a face and not a heel. (Want to get your kayfabe right? Consult someone like Mr. Volkoff, or Colonel Ninotchka. The ShadowBrokers do this sort of thing better; one needs at least the Brokers' professional-wrestling-grade schtick if the audience is to achieve not necessarily credulity, but at least willing suspension of disbelief.)
Information operations (and a "Truth SWAT Team" is closing).
The Czech Centre against Terrorism and Hybrid Threats (Czech acronym CTHH) formed as a national debunking squad for disinformation, seems to have fallen short of its promise and will soon be shuttered (Foreign Policy). The asymmetric threat of information operations, of course, persists (Cipher Brief).
Twitter is going to appear (in the physical persons of its executives) before the Senate Intelligence Committee this coming week to testify about Russian influence operations (WIRED). Facebook's interactions with investigators have been pricklier: apparently catphish also have privacy rights, at least in St. Petersburg and Menlo Park.
False alarms and a cautionary tale of attribution.
Stanislav Petrov has died at the age of 77 (USA Today). An office in the PVO Strany, the Soviet Air Defense Forces, Petrov became a post-Cold War hero, credited with saving the world from nuclear war (Guardian). He was a lieutenant colonel on watch at a PVO Strany command center outside Moscow the night of September 26th, 1983, when satellite sensors reported multiple launches from the United States. His team was getting panicky, but Petrov wasn't convinced. Although the satellite attack phenomenology was considered high-confidence, he was unwilling to call for a retaliatory launch-on-warning. When ground radars saw nothing in-bound, Petrov convinced his superiors it was a false alarm. It turned out, of course, that it was. The satellite had misinterpreted sunlight glittering on the top of high clouds as a covey of American Minutemen inbound from the Great Plains.
This was a period of considerable tension. Just weeks earlier, on September 1st, a PVO Strany SU-15 interceptor had shot down Korean Air Lines Flight 007, a Boeing 747 en route from New York to Seoul, by way of Anchorage. KAL 007 had strayed into Soviet air space near Sakhalin Island. PVO Strany had observed it on radar and, becoming convinced it was an American RC-135 on a MASINT mission, shot the airliner down. All aboard were lost.
This is worth remembering as a timely reminder of the great and terrible consequences mistakes, confusion, and misattribution can have. We heard about the difficulties of attribution of cyber attacks from Thomas Rid this week at the Johns Hopkins University. It's a complex process, as much art as it is science, and we do well to approach it with a healthy degree of self-doubt, especially when the evidence, drawn from our fastest sensors, can seem to conform so readily to the picture we've formed of how things must be. So, as cyber attacks have increasingly serious physical consequences, and as we become ready to see them as acts of war, spare a thought for Lieutenant Colonel Petrov and remember how ambiguous that evidence can be. As a friend of Petrov's said, "We owe this man a lot" (Los Angeles Times).
Industry notes.
The third quarter of 2017 has seen notable venture investment in cybersecurity (Dark Reading). A number of companies this week announced closing an investment round. Aqua Security has raised $25 million in Series B (Aqua Blog). Threat Stack announced a $45 million Series C round (BusinessWire). Jask has received an unspecified investment from Cylance founder and CEO Stuart McClure, who's also joined Jask's board (FinSMEs). inBay Technologies has closed a $1 million funding round (PRWeb). Digital Shadows has picked up $26 million in Series C (Startups). Securonix raised $29 million in a Series A round (FinSMEs). Capsul8 reports an $6 million Series A round led by Bessemer Venture Partners (Globe Newswire). Security-as-a-service provider Cygilant has raised $7 million in growth funding (FinSMEs). Bastille has picked up $27 million in Series B (PRNewswire). And MongoDB is filing an IPO (TechCrunch).
Some of these startups are making noticeable inroads into the market share of large, well-established companies (Forbes), and this may be driving acquisition activity. Value Walk sees a trend: older, larger tech companies buying cyber firms to push into the sector, especially where tech overlaps the defense and aerospace sector (Military Embedded Systems).
SecureAuth and Core Security announced their merger (pending appropriate regulatory approval). The new company intends to "combine network, endpoint, vulnerability and identity security, and offer the industry’s first identity-based security automation platform" (Infosecurity Magazine). They're working through a branding exercise for the new company, whose name and other branding elements have yet to be determined. And SecureAuth also says it's raised more than $200 million in support of expansion plans (SecureAuth). ManTech has announced its acquisition of InfoZen for $180 million; Washington Business Journal says the buy is a Federal IT modernization play. Microsoft's acquisition of Hexadite has drawn positive reviews as a sign of Redmond's growing seriousness about security (Computerworld). One acquisition that seems to be off the table is Symantec's long-rumored sniffing around Splunk (Bloomberg).
As promised, the US Department of Homeland Security has published more details on its ban of Kaspersky products (Federal Register). The Binding Operational Directive is less sweeping than it seemed at first. The ban doesn't apply to Kaspersky code that's "embedded in the products of other companies," nor does it cover Kaspersky's Threat Intelligence and Security Training services. Reviews of the action remain ambivalent. It's generally received strong support from within the US Government, and from some sections of US industry. Russia says it's a trade war, Kaspersky says he's caught in a crossfire, and some in the West suggest the ban sets a dangerous precedent (VAR Guy).