Financial data exposure and third-party issues.
TechCrunch reported Wednesday that data from more than 24 million bank loan and mortgage documents were found on an unsecured server by security researcher Bob Diachenko. The server was storing over a decade's worth of "loan and mortgage agreements, repayment schedules and other highly sensitive financial and tax documents." The data had been converted from paper documents via optical character recognition (OCR) and stored in an Elasticsearch cluster on the server. Diachenko and TechCrunch traced the source of the leak to a data and analytics company called Ascension, which said that one of its vendors was the culprit. The vendor, New York-based software company OpticsML, said it was "working with the appropriate authorities and a forensic team to analyze the full extent of the situation."
On Thursday, TechCrunch reported that Diachenko had discovered a second server, also without a password and accessible from the Internet. This one stored 23,000 pages of original documents. Diachenko noted that this was an Amazon S3 server, which would be password-protected and offline by default, so someone at some point chose to remove its password and connect it to the internet. It's not clear how long this server was exposed or how many times it had been accessed by unauthorized parties. Diachenko told TechCrunch that "this information would be a gold mine for cyber criminals who would have everything they need to steal identities, file false tax returns, get loans or credit cards."
DHS versus DNS hijacking.
On Tuesday, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to all non-national-security agencies instructing them to secure their networks against a DNS-hijacking campaign (Washington Post). Within ten business days, the agencies must audit their DNS records, change passwords and add multi-factor authentication for accounts that can access their DNS records, and monitor certificate transparency logs for unauthorized certificates. The directive says that "CISA is aware of multiple executive branch agency domains that were impacted by the tampering campaign." According to CyberScoop, this includes at least six US Federal civilian agencies.
The DNS-hijacking campaign was first observed by Cisco Talos, which released an early report on the activity in November. Earlier this month, FireEye published a report showing that the campaign was much larger than initially thought. FireEye tentatively suggested the activity was linked to Iran, but added that the campaign "may not be exclusive to a single threat actor as the activity spans disparate timeframes, infrastructure, and service providers"
Cyber's prominence in the 2019 US National Intelligence Strategy.
Director of National Intelligence Dan Coats on Tuesday released the 2019 US National Intelligence Strategy, outlining a host of "diverse and interconnected" threats posed by "traditional adversaries" as well as "evolving threats." It warns that emerging technologies will "enable new and improved military and intelligence capabilities for our adversaries," and that, "despite growing awareness of cyber threats and improving cyber defenses, nearly all information, communication networks, and systems will be at risk for years to come."
The strategy lists seven mission objectives—three foundational and four topical. The foundational objectives include strategic intelligence to address issues relevant to "enduring national security interest," anticipatory intelligence to address "new and emerging trends, changing conditions, and underappreciated developments," and current operations intelligence. The topical mission objectives include cyber threat intelligence, counterterrorism, counterproliferation, and counterintelligence and security.
The disgruntled ex-employee threat.
The website of the popular WordPress plugin WPML (The WordPress Multilingual Plugin) was hacked by a former employee who sent “very distressing emails” to WPML clients concerning supposed vulnerabilities in the plugin, the company revealed on Sunday. The attacker gained access to WPML's servers using an old SSH password and a backdoor he had set up for himself while he was working for the company (Dark Reading). WPML's CEO Amir Helzer emphasized that the hack was accomplished using inside information, and not through any exploit in WordPress or WPML.
The attacker stole names and email addresses of clients, and he potentially has access to clients' WPML accounts. He also stole sitekeys, but WPML insists these are useless to him and can't be used to modify clients' sites (SecurityWeek). Helzer warns clients to be on the lookout for more suspicious emails, however, in case the attacker has any more tricks in mind.
Eh bien, voilà au moins qui n'est pas banal.
Speaking Tuesday in Lille, French Armed Forces Minister Florence Parly re-emphasized France's determination to engage across the spectrum of conflict in cyberspace, specifically including offensive cyber operations. She had said last week in Paris, according to Le Point, "La guerre cyber a commencé et la France doit être prête à y combattre:" cyberwar has begun, and France is determined to be ready to fight it. Her remarks in Lille included discussion of a coming bug bounty program and a significant investment in the cyber industrial base, including small businesses (Register).
Also speaking in Lille at PIC 2019, French diplomat Jean Heilbronn suggested that the prevalence of espionage in cyberspace tends to render it a grey area, where nations can easily cross lines into actions that would be, indeed, he said, are, prohibited by the laws of armed conflict and other international agreements. Speaking for himself and not for France, he suggested that we should have realistic expectations of what international law can do to restrain cyber conflict. He would cast the problem as one of crisis prevention, crisis management, and international regulation, all directed toward the creation of "new standards [and] new behaviours" (Register).
Microsoft President Smith has recently been urging the US to join the Paris Call for better international norms in cyberspace (Washington Post). But if we can take Mdm. Parly and M. Heilbronn at their word, that call may be more nuanced and supple than it at first seems.
Patch news.
ACROS Security released temporary patches for the three Windows zero-day vulnerabilities revealed in December. The first patch fixes a vulnerability in the Windows Error Reporting system that could allow malware to overwrite any file on the system. The second addresses a flaw that allows malware to read any file on a system. The third patch fixes an issue with VCF and CONTACT files that allowed arbitrary code execution (SecurityWeek).
MalwareBytes has fixed a problem that was causing machines running Windows 7 to freeze up (BleepingComputer).
Microsoft is ending support for Windows 10 Mobile on December 10th, 2019. The company advises its customers to switch to an Android or iOS device (CRN Australia).
A security update for Wireshark fixes four denial-of-service vulnerabilities (SUSE Security Update).
Adobe has patched several cross-site scripting vulnerabilities in Experience Manager and Experience Manager Forms (SecurityWeek).
Apple's release of iOS 12.1.3 addresses thirty-one security flaws in a range of components, while macOS Mojave 10.14.3 fixes twenty-three vulnerabilities (SecurityWeek).
Crime and punishment.
The FBI arrested Roger Stone, former advisor to US President Trump, in Florida early Friday pursuant to an indictment obtained by Special Counsel Robert Mueller. Mr. Stone has been charged with seven process crimes obstruction of an official proceeding, witness tampering, and five counts of making false statements. The indictment doesn’t allege that he conspired with WikiLeaks, Julian Assange, or others, as the Washington Post notes, but rather that he was not candid about his interest in learning about whatever dirt they may have had on the Clinton campaign.
Bulgarian authorities have extradited a Russian national wanted in the US. Alexander Zhukov, nom-de-hack "Nastra," is in a Brooklyn jail, whence he'll be facing the music in a Federal ad-fraud beef. Mr. Zhukov was pulling down about $20,000 a month until a dispute with his customer blew the gaffe. The troublesome customer was an American client, further evidence if any were needed that shady commercial stunts have international appeal (SecurityWeek).
WikiLeaks' Julian Assange, he of sound mind, good personal hygiene, and decent behavior toward pets (no, really), continues to fight US extradition requests (Guardian).
Entrepreneur, bon vivant, and bad boy John McAfee (who's no longer connected to the eponymous security company he founded, then sold) say the US Internal Revenue Service is after him, and that he intends to move to a boat, from which he'll conduct his 2020 campaign for the US Presidency while safely afloat in international waters (Cointelegraph). Can this be a good plan? Couldn't law enforcement pursue fleeing suspects beyond the three-mile limit? Or is it like that movie Porky's we remember someone telling us about, where the sheriff has to stop at the county line? (We're asking for a friend.)
Courts and torts.
French regulators have imposed a €50 million ($57 million) fine on Google for violations of the GDPR. At issue was insufficient transparency. The regulators concluded that the consent users gave Google for use of their data was insufficiently informed (Wall Street Journal). Google will appeal (Computing).
In the US, the Federal Trade Commission is reported to be considering levying a large fine against Facebook for privacy lapses. The FTC's largest fine has been the $22.5 million it assessed against Google in 2012. The Facebook action, should it develop, is expected to break that record. The FTC's investigation centers on data misuse in the Cambridge Analytica scandal (SecurityWeek).
Both Facebook and Google would prefer not to be fined, of course, but the amounts talked about in these cases don't remotely approach company-killers, and in themselves will probably have no serious effect on the companies' valuation.
In other GDPR-related litigation, the European gadfly nongovernmental organization nyob has lodged complaints against eight companies that engage in streaming. Four of the companies mentioned in dispatches are European, four American. In this case the complaint is that the companies allegedly failed to provide users with an intelligible account of the personal data they held on the users (SecurityWeek).
The US Democratic National Committee has modified its suit against the Russian Federation and others to include a complaint of phishing attempts after the 2018 midterm elections (SecurityWeek).
Policies, procurements, and agency equities.
The US Government shutdown continues to afflict various agencies' cybersecurity posture (SecurityWeek). The effects seem so far to be peripheral, seen mostly in the form of expiring certificates (Washington Post). But some FBI Special Agents say the budget impasse is having a significant effect on the FBI’s cyber investigations, according to a report released on Tuesday by the FBI Agents Association (FBIAA). While most agents are still working (without pay), they face dwindling funds to pay for key resources. Austin Berglas, a former top official in the FBI’s New York Office Cyber Branch, told the Washington Post that the shutdown is likely hitting cyber investigations particularly hard because these investigations are often more expensive than others. The FBIAA’s report quotes an agent that was unable to pay two critical sources of intelligence. Another agent says they were "unable to schedule a case collaboration meeting with another government agency while the shutdown continues." The FBIAA says that the "situation is not sustainable."
The Government and Federal contractor community around Washington and Baltimore is feeling the pinch. Phoenix TS, a infosec training company based in Columbia, Maryland, is offering free cyber courses to help re-skill workers affected by the shutdown (Fox 5 DC).
The US State Department is pulling together a new cybersecurity team. It will replace the office disestablished by former Secretary Tillerson. So far the projected office seems likely to have to work its way through many Congressional debates over its role and mission (Foreign Policy).
Fortunes of commerce.
Huawei, seeking to mollify New Zealanders over concerns that it presents an espionage risk, has offered to invest $5 million in a security lab that would vet its 5G products for security (Stuff). The company had earlier followed a similar playbook in Europe (New York Times). Many governments, Britain's among them, continue to regard the company with reservations (Telegraph), and telecommunications companies find themselves under some pressure to reevaluate their dealings with Huawei (Telegraph). The latest to announce restrictions on the use of Huawei devices is Taiwan (Nikkei Asian Review), and France's Foreign Minister says he intends to bring the matter up with his Chinese counterpart when the two of them meet (Reuters).
As evidence of the suspicion with which Big Tech is increasingly regarded, see the widely believed conspiracy theory that the Ten Year Challenge meme is a subterfuge by Facebook designed to gather data that will train facial-recognition AI to see through the ravages of time and know you for who you are. Facebook says no, and that they don't have anything to do with the meme, and we're inclined to believe them, and think this is just another instance of the madness of crowds. But as evidence of eroding trust, it's worth thinking about. Of course, if you're really worried about the Ten Year Challenge, as Naked Security points out, you’re about eight years and a trillion photographs too late.
Ambivalence about labor relations isn't helping rebuild trust, either (Telegraph). Mountain View may find some useful suggestions on labor relations here.
Security and HR, nothing else holds fashion. Witness Snap (Wall Street Journal).
Labor markets.
US Federal cybersecurity specialists furloughed during the Government shutdown are said to be increasingly looking for private sector jobs (Ars Technica).
Not all civilian positions are secure, either. McAfee is said to be laying off two-hundred employees in sales, engineering, finance, and human resources (CRN). And Apple has laid off two-hundred workers in its Project Titan autonomous vehicle unit (Computing).
Furloughs and layoffs are temporary and localized perturbations of the labor market. In general, security talent remains in high demand. The evidence lies in the salaries it commands in the marketplace (Dark Reading).
The US Air Force has been looking into where one might find cybersecurity aptitude, and it's decided that maintainers, "wrench-turners," make a better bet than other, more obvious populations (Military.com). It's not the first time cyber talent has been found in overlooked places: many US Navy battleship bandsmen were turned into cryptographers after their ships were lost at Pearl Harbor in 1941, and they did the Republic proud (The Link).
Mergers and acquisitions.
Mobile measurement and fraud-prevention company Adjust has acquired Tel Aviv-based biometrics shop Unbotify (PRNewswire).
Thales acquisition of SIGINT shop Erconmis thought by some observers to be a bellwether for consolidation in the European cybersecurity market (Intelligence Online).
Healthcare-focused MSP MedicusIT has acquired ISDesign, which offers WAN, disaster recovery, and security expertise (PRNewswire).
Investments and exits.
Strategic Cyber Ventures thinks the private equity market for cybersecurity firms is overheated (SecurityWeek) as investment in the sector reaches record highs (Dark Reading).
Humio, which offers a log management platform that promises enterprises live observability, has received $9 million in a Series A round led by Accel (PRNewswire).
And security innovation.
Juniper Networks has invested $2.5 million in Alchemist, an enterprise-technology accelerator (TechCrunch).
Summit Business Technologies is among the vendors selected to provide defense contractors support under the Maryland Defense Cybersecurity Assistance Program (DCAP).
Is the model of entrepreneurship that prevails in Silicon Valley applicable elsewhere? Some think not (Washington Business Journal).