For consumers, ease of use in the user experience (EX) is paramount. This aspect of daily life draws consumers to the service. One aspect involves entertainment and recreation. To attend certain events, a ticket for entrance is required. One service to purchase this from is Ticketmaster, which is an online option. Ticketmaster, as with many of the other organizations within this field, is multinational. Within the UK arm of Ticketmaster, there was a recently detected issue.
Affected Parties
As this organization is so large, a mass number of clients were affected. There were an estimated 40K clients who purchased tickets within the exposure period ending June 23, 2018. The exposure was through Ticketmaster and other websites owned by Ticketmaster, which were Ticketweb and Get Me In!. The affected may, unfortunately, become victims of identity theft, and fraudulent use of their credit cards.
Compromise
This was not a quick operation with the attackers breaching the organization for notoriety. The breach and subsequent compromise occurred over several months. This period is estimated from September 2017 to June 23, 2018. The organization was notified of the breach in April 2018. The issue was disclosed on June 23, 2018.
From this issue, the client’s personal data was exfiltrated. This included the client’s name, addresses, phone numbers, payment data, logins for Ticketmaster, and password. The attackers are still unknown.
The organization should have known there was an issue from the various indicators. The InfoSec team should have noticed something was not correct when the logs were reviewed. What actually brought this to the attention of Ticketmaster was an increase in fraud complaints.
The cause of this issue was from a simple copy/paste. Ticketmaster recycled code from one of their contractors, Ibenta. The code was originally used in a chat function. This was not coded in a secure manner, but with functionality in mind. With this code, the attackers were able to monitor the data inflow from the client’s orders. The Javascript used for the payment page thus was not coded for this function. Although the intention was economical, security was not focussed on in the SDLC.
Handling
The issue was not handled exceptionally well. Generally, the entity should embrace the best practice of urgency, transparency, and empathy. Ticketmaster was notified of the breach and elected not to act on it for a month. Ticketmaster did eventually warn the affected customers. The primary recommendation was for the clients to reset their passwords. The company should have recognized if a mistake is made, own it, and accept the responsibility. This responsibility should not have been shifted to third parties. In this case, Ticketmaster attempted too push the blame onto the contractor, since this was originally their code.
Lessons Learned
Any entity should be open and honest when there is a breach. This may work to minimize the potential exposure and effects. The code was for the application and should be secure. When this does not cc
Resources
CISOMAG. (2018, June 28). Ticketmaster hacked, payment information of several customers may have been compromised. Retrieved from https://www.cisomag.com/ticketmaster-hacked-payment-information-of-several-customers-may-have-been-compromised/
Freedman, L.F. (2018, July 5). Ticketmaster hit with malware compromising UK customer’s data. Retrieved from https://www.dataprivacyandsecurityinsider.com/2018/07/ticketmaster-hit-with-malware-compromising-uk-customers-data/
Levin, A. (2018, June 28). Why the ticketmaster UK breach could happen to your organization. Retrieved from https://adamlevin.com/2018/06/28/ticketmaster-uk-breach/
Ticketmaster. (2018). Information about data security incident by third party supplier. Retrieved from https://security.ticketmaster.co.uk/
Townsend, K. (2018, June 28). Ticketmaster blames third party over data breach. Retrieved from https://www.securityweek.com/ticketmaster-blames-third-party-over-data-breach
Whittaker, Z. (2018, June 28). Inbenta, blamed for ticketmaster breach, admits it was hacked. Retrieved from https://www.zdnet.com/article/inbenta-blamed-for-ticketmaster-breach-says-other-sites-not-affected/
Zhou, M. (2018, June 28). Ticketmaster says credit card data may have been stolen in UK breach. Retrieved from https://www.cnet.com/news/ticketmaster-hit-by-data-breach-in-the-uk/
Thursday, August 30, 2018
Saturday, August 25, 2018
AI to Supplement InfoSec
There are currently a minor number of topics creating the press in the computer industry than machine learning (ML) & artificial intelligence (AI). AI has been in process for well over a decade, yet recently has been much more publicized in the press. Most persons may be familiar with ML and AI from the movies (Tron, Her, iRobot, Blade Runner, 2001: A Space Odyssey, and many others) or commercial ventures with security incident and event management (SIEM) applications (Dawson, 2017). These applications have also been implemented with recreational users with the Go game, IBM Watson, and other applications.
InfoSec
InfoSec has many functions, too numerous to detail. These include, but are not limited to, log analysis, spam filter applications, network IDS/IPS, fraud detection, botnet detection, user authentication and validation, and in general monitoring activities (Rossi, 2016). With the vast number of responsibilities, time is of the essence. This is only further exasperated by the mass number of attacks that are present and that will continue to grow.
These attacks have been increasing over time as a function of the increasing attack surface of increasing data and system complexity coupled with the potential revenue to be generated. The amount of data generated from daily operations increases making it difficult to analyze all of the data (Siwicki 2017). This grows, in comparison, from a small to medium, or medium to large sized business. The increased amount of available threats (Stevens, 2018) have subsequently increased the network breaches in the mid-decade (Li, 2015) and recently. Although this is abstract, the reality of the situation incorporates the actual cost to the organization. In 2013, the estimated global cost of cybercrime was $113B (Sanders, 2015). As the number of attacks has grown along with the mass volume of data being targeted daily, the cost has increased rather significantly.
These attacks also have increased in depth. These have moved from the shallow, low hanging fruit to the more in-depth, complex attacks. With the number of new InfoSec tools engineered specifically to compromise systems and these being designed with a GUI for complete ease of use.
The attacks have also increased in criticality. The targets are involved with more criticality. The targets are involved with more critical operations for the organization. The attacks are becoming more concerned with these high-value targets, providing greater attention when compromised.
Current Workforce
In InfoSec, as a general indicator, there have been and continue to be a significant shortage of qualified staff. In cybersecurity, this is much worse. There presently is and will continue to be a severe shortage of cybersecurity professionals throughout the country (Li, 2015). The issue isn’t merely with the number of staff members not being sufficient, but also with experience. The expertise of the staff members also is lacking (Cowley, & Greitzer, 2016).
One area this is specifically problematic is within the automotive cybersecurity field. With the new modules and operations, along with the new push for autonomous drive (AD) vehicles, there is a much larger need for cybersecurity professionals. This demand for the automotive cybersecurity professionals will continue to outpace the supply (Uchill, 2017).
Staffing Limitations
The InfoSec staffing shortage is well-known and published in various mediums, and a challenge (ISACA, 2018). This shortage is not localized, but a global issue (Ollmann, 2016). Within this industry, 59% of cyber- and InfoSec positions are not filled (Zorz, 2018). The same study also noted 54% of respondents say filling an open position generally requires at least three months. This time frame experience is not acceptable.
To further this, 59% of the enterprises responded the organization experienced open security positions (Teitler, 2018). This is as of a limited time span. Over time, this has also been the case. ESG recently conducted their annual global survey focussing on the state of IT. From this survey, the number of organizations claiming a shortage of cybersecurity skills has increased since at least 2014 (Oltsik, 2018). This study indicated the obvious of filling these cybersecurity positions was more difficult in 2018 versus 2017 (Rio, 2018).
Expected Labor Force Shortage
As noted, the past and present shortage of qualified, experienced cybersecurity staff has been growing noticeably (Morgan, 2017). This is the reality for the industry. Looking forward, the shortage of staff is expected to be approximately 1.8M by 2020-2022 (Condon, 2018; Stolte, 2018; MacDonald, 2018; Gil, 2018; Kawamoto, 2017).
AI to the Rescue
The past, present, and future labor shortage is well-known. One discipline which may be of assistance is AI (Rio, 2018). While this is not a panacea and won’t be able to solve all the presented issues (Oliver, 2018), there is a clear benefit to the implementation (Scroxton, 2018). In general, AI will be able to increase human productivity (Reese, 2018). As the beneficial processes are experienced by the organization, the cybersecurity teams will achieve a greater level of understanding (Ismail, 2017). This greater depth of understanding will provide for a faster, better, and less costly cybersecurity program.
This understanding will provide for the upgraded modules to better identify threats, assess the risk, and apply the remediation protocol. Identifying threats has proven to be difficult due to the attack surface and data continuing to grow. There is a limited amount of resources being applied to the network, endpoint protection, applications, cloud services, mobile devices, and other points and processes. Assessing the risk involves correlating the external threat data with the business criticality. This activity along is well-suited for ML and AI applications, along with the added functionality AI provides for. This may be used to assess the security gaps and possible points of breach or compromise.
Trust
For the full implementation of AI into InfoSec, there has to be trust with the system. The humans require a full understanding and appreciation of the system, knowing the risk of an oversight or negligent decision is as close to a null as possible, with the awareness that there will be a rather insignificant level of potential error in the application. No human deiced without an error on some level over decades of work. This confidence in the system is vital (Stilgherrian, 2018).
For the trust to be in place, there need to be two pertinent factors in place. These are operational and data security (Hengstler, Enkel, & Duelii, 2016). The operational safety facet involves the technology itself being reviewed and approved per the appropriate level of governance. The data itself also has to be secure, and not modified. With these fully engaged, the issue of a lack of trust would be marginalized.
Replacing Humans
Another issue noted was the AI system would replace most of the humans, leading to mass unemployment. Users may have the visions from Hollywood of the machine taking over step by step. This will not be the case. The AI systems will work to supplement the workflows, not replace humans, freeing time which may be applied elsewhere on other projects (Rio, 2018).
There are many types of duties and work which AI is not able to do so (Skilton, 2017). Humans have the ability to generalize, reason through issues, and intuition, which would not be able to be fully replaced by code or a machine (Towers-Clark, 2018). From this, clearly, the cybersecurity role is and won’t be targeted (Korolov, 2016).
Regarding job functions, there will be fewer jobs at risk of being affected by automation than previously thought (Vincent, 2018). There will not be the need for humans lessening as the new paradigm shift occurs. This potentially will affect, to the detriment of, low skilled jobs. As an example, there have been in use for over a year AD bus lines on the campus of the University of Michigan-Ann Arbor. These naturally have a limited scope of use, however, have been in place, are actively used, and are trusted by the students and University.
This will be used more to review threats originating from outside of the entity (Needle, 2017), for data protection (Help Net Security, 2018), to detect anomalies in traffic, and to create a more difficult environment for attackers to compromise (Osborne, 2018).
There is a level of faulty reasoning as the AI system will not be usurping the human’s authority and autonomy. The industry and civilization will still need human developers (Merritt, 2018). There is no question as to this use case. Humans will be needed for advancing to tools we have in place presently. Each business is unique in its parameters and application requirements (Allen, Filar, & Seymour, 2017). The humans will be needed to fulfil the varied requests and requirements in a creative manner. While creativity is one of the functions of AI in the long-term, the humans will still need to be directly involved in these endeavours.
The humans will be required to manage the contingencies involved with business operations, incident response, and many other areas. While computing this is a controlled process, the human aspect will be needed as creativity is a required function. The decision process is multi-faceted and still will require a human’s interpretation of events, and rank in the decision matrix.
ML and AI will assist with InfoSec as an effective assistant (Siwicki, 2017). The users are too numerous to enumerate, however, the generalized uses are notable. These include, however, are not limited to:
a. Analyzing the mass amount of data generated daily from operations, AD vehicles, and the myriad of other sources (Graham, 2018),
b. Improving accuracy, which would subsequently increase the human's confidence (Ashford, 2017),
c. Automating initial and secondary false positive review (Morgan, 2017), effectually freeing up a large block of time for the InfoSec team,
d. Improving predictive analytics to possibly identify pre-compromised targets, reviewing the requirements for the InfoSec team to remediate issues,
e. Force multiplying; as this will supplement the InfoSec team’s efficiency, allowing each member of the team to achieve more in different areas, and
f. Training, personalized for each staff member to assist them with their position, goals, and careers.
Supplement and Augment
AI will be a benefit to commercial organizations, consumers, and others involved. In the subject context, the benefits are numerous and too expansive to list for the InfoSec field. This, as the implementation evolves and increases in usage, will become more evident and show not only its promise, however also its potential to make the InfoSec worker more efficient, and multiply their efforts.
This shift in the application will not be quick. This is a needed, as with this level of a technology shift, the steps need to be sure, planned, and executed within a governance model.
References
Allen, C., Filar, B., & Seymour, R. (2017, October 19). Harnessing the power of conversational interfaces in security. Retrieved from https://www.oreilly.com/ideas/harnessing-the-power-of-conversational-interfaces-in-security
Ashford, W. (2017, October 18). McAfee forges ahead with analytics, deep learning and AI. Retrieved from http://www.computerweekly.com/news/450428465/McAfee-forges-ahead-with-analytics-deep-learning-and-AI
Condon, J. (2018, May 8). Survey suggests younger generations, including females, may fill the cybersecurity talent gap. Retrieved from https://www.protectwise.com/post/survey-suggests-younger-generations-including-females-may-fill-the-cybersecurity-talent-gap/
Cowley, J.A., & Greitzer, F.L. (2015). Organizational impacts to cybersecurity expertise development and maintenance. Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 59(1), 1187-1191. doi:10.1177/1541931215591185
Dawson, J. (2017, October 1). Training machine learning for cyberthreats. Retrieved from https://www.afcea.org/content/training-machine-learning-cyberthreats
Gil, L. (2018, March 22). The debate is over: Artificial intelligence is the future for cybersecurity. Retrieved from https://www.scmagazine.com/the-debate-is-ver-artificail-intelligence-is-the-future-for-cybersecurity/article/749603/
Graham, K. (2018, April 13). Managing cybersecurity in the age of artificial intelligence. Retrieved from http://www.digitaljournal.com/tech-and-science/technology/managing-cybersecurity-in-the-age-of-artificial-intelligence/article/519790
Help Net Security. (2018, April 4). Would automation lead to improved cybersecurity? Retrieved from https://www.helpnetsecurity.com/2018/04/04/automation-cybersecurity/
Hengstler, M., Enkel, E., & Duelli, S. (2016). Applied artificial intelligence and trust-The case of autonomous vehicles and medical assistance devices. Technological Forecasting & Social Change, 105(2016), 105-120. doi:http://dx.doi.org/10.1016/j.techforce.2015.12.014
ISACA. (2018). State of cybersecurity 2018: Part I: Workforce development. Retrieved from http://ww.isaca.org/Knowledge-Center/Research/Documents/cyber/state-of-cybersecurity-2018-part_1_res_eng_0418.pad?regnum=441968
Ismail, N. (2017, April 19). The role of AI in cyber security. Retrieved from http://www.information-age.com/role-ai-cyber-security-123465795/
Kawamoto, D. (2017, June 7). Cybersecurity faces 1.8 million workers shortfall by 2022. Retrieved form https://www.darkreading.com/careers-and-people/cybersecurity-faces-18-million-worker-shortfall-by-dd-id/1329084
Korolov, M. (2016, December 2). AI is coming, and will take some jobs, but no need to worry. Retrieved from https://www.csoonline.com/article/3146137/it-careers/ai-is-coming-and-will-some-jobs-but-no-need-to-worry.html
Li, C. (2015). Penetration testing curriculum development in practice. Journal of Information Technology: Innovation in Practice, 14, 85-99. doi:https://doi.org/10.28945/2189
MacDonald, R. (2018, June 18). Working through the cybersecurity skills gap. Retrieved from http://www.helpnetsecurity.com/2018/06/18/working-cybersecurity-skills-gap/
Merritt, T. (2018, May 3). Top 5: Tips for using AI in your business. Retrieved from https://www.techrepublic.com/article/top-5-tips-for-using-ai-in-your-buisness/
Morgan, S. (2017, June 6). Cybersecurity labor crunch to hit 3.5 million unfilled jobs by 2021. Retrieved from https://www.csoonline.com/article/3200029/security/cybersecurity-labor-crunch-tohit-35-million-unfilled-jobs-by-2021.html
Oliver, J. (2018, March 29). Introduction to machine learning (ML) for cybersecurity. Retrieved from http://www.cyberdefensemagazine.com/introduction-to-machine-learning-ml-for-cybersecurity/
Olmann, G. (2016, December 28). How artificial intelligence will solve the security skills shortage. Retrieved from https://www.darkreading.com/operations/how-artificial-intelligence-will-solve-the-security-skills-shortage/a/d-id/1327756
Oltsik, J. (2018, January 11). Research suggests cybersecurity skills shortage is getting worse. Retrieved from https://www.cso.online/article/3247708/security-research-suggests-cybersecurity-skills-shortage-is-getting-worse.html
Osborne, C. (2018, March 21). Artificial intelligence key to do “more with less” in securing enterprise cloud services. Retrieved from http://www.zdnet.com/article/artificial-intelligence-key-to-do-more-with-less-in-securing-enterprise-cloud-services/
Rio, A. (2018, June 21). Will AI help close the skills gap? Retrieved from http://www.clomedia.com/2018/06/21/will-ai-help-close-the-skills-gap/
Rossi, B. (2016, June 20). Bring the noise: How AI can improve cybersecurity. Retrieved from http://www.information-age.com/technology/security/123461b38/bring-the-noise-how-ai-can-improve-cyber-security
Sanders, A. (2015, October 29). Will AI be smart enough to protect us from online threats? Retrieved from https://techcrunch.com/2015/10/29/will-ai-be-smart-enough-toprotect-us-from-online-threats/
Scroxton, A. (2016, January 24). AI is moving towards acceptance in cybersecurity, says Check Point. Retrieved from https://www.computerweekly.com/news/252433705/AI-is-moving-towards-acceptance-in-cyber-security-says-Check-Point
Siwicki, B. 92017, June 29). Artificial intelligence is giving healthcare cybersecurity programs a boost. Retrieved from http://www.healthcareitnews.com/news/artificial-intelligence-giving-healthcare-cybersecurity-programs-boost
Skilton, M. (2017, February 13). Impact of artificial intelligence on cyber security. Retrieved from https://www.huffingtonpost.com/professor-mark-skilton/impact-of-artificial-inte_b_14702160.html
Stevens, G. (2018). How to approach AI-enhanced cybersecurity. Retrieved from https://www.scmagazine.com/how-to-approach-ai-enhanced-cybersecurity/article/761867/
Stilgherrian. (2018, August 1). AI can deliver ‘faster better cheaper’ cybersecurity. Retrieved from https://www.zdnet.com/article/ai-can-deliver-faster-better-chearper-cybersecurity/
Stolte, R. (2018, June 21). Filling the cybersecurity skills gap with artificial intelligence. Retrieved from http://journal.ahima.org/2018/06/21/filling-the-cybersecurity-skills-gap-with-artificial-intelligence/
Teitler, K. (2018, May 1). ISACA workforce development report highlights need for more & more qualified security employees. Retrieved from https://www.misti.com/infosec-insider/isaca-workforce-development-report-highlights-need-for-more-qualified-security-employees
Towers-Clark, c. (2018, April 21). AI will not take our jobs, but it will fundamentally change them. Retrieved from https://www.gigabitmagazine.com/ai/ai-will-not-take-our-jobs-it-will-fundamentally-change-them
Uchill, J. (2017, July 30). Demand for automotive cybersecurity pros outpaces supply. Retrieved from http://thehill.com/policy/cybersecurity/344539-demand-of-automative-cybersecurity-pros-outpaces-supply
Vincent, J. (2018, April 3). AI and robots will destroy fewer jobs than previously feared, says new OECD report. Retrieved from https://www.theverge.com/2018/4/3/17192002/ai-job-loss-predictions-forecasts-automation-oecd-report
Zorz, Z. (2018, April 17). Tech-skilled cybersecurity pros in high demand and short supply. Retrieved from https://www.helpnetsecurity.com/2018/04/17/cybersecurity-pros-high-demand/
Tuesday, August 21, 2018
Adidas Issues: Breaches Abound
Most people have seen or are aware of the Adidas brand of shoes, clothing, and other products. These are sold in retail establishments and online. Recently Adidas had the opportunity to experience the excitement of a breach with their online venture.
An unauthorized party accessed the Adidas servers. This was unknown to Adidas until they were notified by a third party. The data was exfiltrated on June 26, 2018. This data included the user’s contact information, usernames, and encrypted passwords. Fortunately for the users, their credit card details and health-oriented data was stored elsewhere. With any breach, the vector and method could, in theory, take many forms. In this case, the method is unknown. To understand how this happened, Adidas is working with a security firm and law enforcement.
The affected parties were the Adidas customers purchasing products on the adidas.com/US website. This has affected literally millions of people.
One open question involves the InfoSec in place at Adidas. Seemingly, the security team, the SIEM, or something would have noticed the mass amount of data for millions of clients leaving the organization. Adidas had to learn of this from a third party. Also, the logs would have indicated, unless modified by the attackers, that this area was accessed by a party that was not authorized. There are these and many other questions re: the breach, which hopefully will be answered in the upcoming weeks.
Looking forward, the enterprise should have some form of a monitoring device or staff in place to review anomalies, unusual access, etc. This would have hopefully been able to note there was an issue and begin to limit the damage.
Resources
Adidas. (2018, June 18). Adidas alerts certain consumers of potential data security incident. Retrieved from https://www.adidas-group.com/en/media/news-archive/press-releases/2018/adidas-alerts-certain-consumers-potential-data-security-incident/
Gibson, K. (2018, June 28). Adidas data-security breach could involve “a few million customers”. Retrieved from https://www.cbsnews.com/news/adidas-security-breach-could-involve-a-few-million-customers/
Green, A. (2018, June 1). Adidas website hacked, changes your passwords now. Retrieved from https://www.komando.com/happening-now/468214/adidas-website-hacked-change-your-password-now
Humphries, M. (2018, June 29). Adidas website hacked, millions of US customer details stolen. Retrieved from https://www.pcmag.com/news/362173/adidas-website-hacked-millions-of-us-customer-details-stolen
Jones, R. (2018, June 29). Adidas warns customers of website hack. Retrieved from https://solecollector.com/news/2018/06/adidas-website-hack
Murdoch, J. (2018, June 29). Adidas hack: ‘Millions’ of U.S. website customers warned of cyber theft. Retrieved from http://www.newsweek.com/adidas-breach-hack-us-website-customers-warned-their-data-has-been-hacked-1000974
Sepe, R. (2018, June 29). Adidas US website hit by data breach. Retrieved from https://www.darkreading.com/cloud/adidas-us-website-hit-by-data-breach/d/d-id/1332186
An unauthorized party accessed the Adidas servers. This was unknown to Adidas until they were notified by a third party. The data was exfiltrated on June 26, 2018. This data included the user’s contact information, usernames, and encrypted passwords. Fortunately for the users, their credit card details and health-oriented data was stored elsewhere. With any breach, the vector and method could, in theory, take many forms. In this case, the method is unknown. To understand how this happened, Adidas is working with a security firm and law enforcement.
The affected parties were the Adidas customers purchasing products on the adidas.com/US website. This has affected literally millions of people.
One open question involves the InfoSec in place at Adidas. Seemingly, the security team, the SIEM, or something would have noticed the mass amount of data for millions of clients leaving the organization. Adidas had to learn of this from a third party. Also, the logs would have indicated, unless modified by the attackers, that this area was accessed by a party that was not authorized. There are these and many other questions re: the breach, which hopefully will be answered in the upcoming weeks.
Looking forward, the enterprise should have some form of a monitoring device or staff in place to review anomalies, unusual access, etc. This would have hopefully been able to note there was an issue and begin to limit the damage.
Resources
Adidas. (2018, June 18). Adidas alerts certain consumers of potential data security incident. Retrieved from https://www.adidas-group.com/en/media/news-archive/press-releases/2018/adidas-alerts-certain-consumers-potential-data-security-incident/
Gibson, K. (2018, June 28). Adidas data-security breach could involve “a few million customers”. Retrieved from https://www.cbsnews.com/news/adidas-security-breach-could-involve-a-few-million-customers/
Green, A. (2018, June 1). Adidas website hacked, changes your passwords now. Retrieved from https://www.komando.com/happening-now/468214/adidas-website-hacked-change-your-password-now
Humphries, M. (2018, June 29). Adidas website hacked, millions of US customer details stolen. Retrieved from https://www.pcmag.com/news/362173/adidas-website-hacked-millions-of-us-customer-details-stolen
Jones, R. (2018, June 29). Adidas warns customers of website hack. Retrieved from https://solecollector.com/news/2018/06/adidas-website-hack
Murdoch, J. (2018, June 29). Adidas hack: ‘Millions’ of U.S. website customers warned of cyber theft. Retrieved from http://www.newsweek.com/adidas-breach-hack-us-website-customers-warned-their-data-has-been-hacked-1000974
Sepe, R. (2018, June 29). Adidas US website hit by data breach. Retrieved from https://www.darkreading.com/cloud/adidas-us-website-hit-by-data-breach/d/d-id/1332186
Wednesday, August 15, 2018
Let's Learn from our Mistakes!: Phishing is still an issue
A bank robber, after being apprehended, years ago was asked “Why did you rob the bank?” The simple and direct response was, “That’s where the money is.” There is no difference today. Organizations will be targeted due to an asset the attackers want access to. This may be data or information, or the familiar cash.
A incident happened in Virginia to a bank and within eight months, the same. These illustrate the importance of relevant, regular training for phishing attacks.
Incidents
The target was The National Bank of Virginia located only in Virginia. The bank was compromised twice in eight months. The total amount stolen was an estimated $2.4M. The first was on May 28, 2016. This attack continued through Monday (Memorial Day), and was subsequently detected. The focus with this and the 2nd successful compromise was cash. Once compromised, the money was stolen through hundreds of ATMs across North America with cards whose magnetic stips had been the true user’s data placed on them. The ATMs initially with the first incident had stolen $569,648.24.
Once detected the bank contracted with Foregenix to complete the forensic review. In June 2016, the bank put in place the additional security protocols recommend. Curiously, the bank was breached again, allegedly by the same group, in January 2017. The attackers through this attack were able to steal $1.8M.
Methodology
The two rather deeply probing and expensive attacks were successfully completed with simple phishing emails with attachments. The user opens the email, clicks on the link or opens the attachment, and potentially the IR (Incident Response) Team and other operations have a long day and/or weekend. With the first attack, the initial compromised computer compromised another. This second computer accessed the STAR Network. This is managed by First Data and is used to manage the debit card, transactions, customer accounts, and the use of ATM and bank cards.
With the compromised computer, the attackers had the ability to disable and modify the anti-theft, and anti-fraud protections. This included the PIN, withdrawal limits for the individual person, daily usage, maximums for the debit cards, and fraud score protections.
The interesting twist is either by luck or learning from the 1st attack, the attackers also gained access to Navigator. Navigator was used by the bank to manage their customer’s debits and credits.
During the compromise #2, the attacker credited the bank ’s client accounts for $1,833,984 from several hundred ATMs. The second compromise also occurred over a weekend, between January 7-9, 2017. To make matters worse, the attackers updated for their needs or removed the bank’s critical security controls.
For the second compromise, Verizon was contracted for the forensic review. Verizon noted this was probably done by the same attackers, and the method for entry was the malicious Word document attached to the phishing email.
Cyber-Insurance
The bank did have cyber-insurance in place and in force at the time of the attacks. The insurance company was Everest National Insurance Company. Once the claim(s) had been filed, the insurance did not want to pay. There were two exclusions, and the insurance company claimed this fell under their Debit Card rider. The bank then filed a lawsuit in the Western District Court of Virginia, Roanoke Division (Civil Action No 7:18CV310).
Lessons Learned
Cybersecurity presents a new environment for the enterprise to thrive in. One aspect that is particularly new is cyber-insurance. The insurance industry is still working to detail the working, interpretation, and the method on how to apply this. In purchasing this service and insurance, the business needs to be wary and complete the due diligence, so senior management is aware of the coverage, as much as they are able to.
One aspect to fully explore is the exclusion riders. These, when possible, should be minimized in number. Where these are required, any ambiguity in the wording should be explored and detailed, while being documented. With this, any ambiguities should be limited. Notwithstanding a section to the contrary, the emails and other documents should fill in the gaps.
With the exclusions, this would work to limit the insurance company’s exposure to certain attacks. The industry may not know of a certain attack or one that had not been published yet. The attack vector may not be known yet. The business may be waiving their right to coverage for an unknown attack, or one that had not been created yet.
The business should actively consider consulting with an attorney specializing in this area with regard to the cyber-insurance policy and rider. The agreement and insurance rider are written with the insurance company’s interests in mind. The sections and riders may be vague where needed, and be able to apply exclusions where they may need it.
Insurance works, in theory, and practice, by pooling risk. The pool consists of individual policies. The insurance companies use large mathematical formulas to determine what factors to take into account. The larger the pool, assumptively the less overall risk, fewer claims, and subsequently larger profits. If there are too many claims, the insurance company’s profits will be lower. The organizations are profit driven, and not an altruistic entity.
Even if the organization follows industry standards and recommendations, there may be issues. The InfoSec environment is ever-changing. There are new attacks, updated old attacks, nuances, or old issues never fixed. To anticipate every issue and attack angle is not possible.
Phishing continues to be a rather viable attack vector. These can be skillfully crafted, with the business symbols and graphics. All it takes is one person in the right department (e.g. accounting, finance, tax, or Human Resources) clicking on one link and the business operations can get very interesting, very quickly. The phishing training needs to be regular, and relevant.
Resources
Krebs, B. (2018, July 18). Hackers breached virginia bank twice in eight months, stole $2.4m. Retrieved from https://krebsonsecurity.com/2018/07/hackers-breached-virginia-bank-twice-in-eight-months-stole-2-4m/
A incident happened in Virginia to a bank and within eight months, the same. These illustrate the importance of relevant, regular training for phishing attacks.
Incidents
The target was The National Bank of Virginia located only in Virginia. The bank was compromised twice in eight months. The total amount stolen was an estimated $2.4M. The first was on May 28, 2016. This attack continued through Monday (Memorial Day), and was subsequently detected. The focus with this and the 2nd successful compromise was cash. Once compromised, the money was stolen through hundreds of ATMs across North America with cards whose magnetic stips had been the true user’s data placed on them. The ATMs initially with the first incident had stolen $569,648.24.
Once detected the bank contracted with Foregenix to complete the forensic review. In June 2016, the bank put in place the additional security protocols recommend. Curiously, the bank was breached again, allegedly by the same group, in January 2017. The attackers through this attack were able to steal $1.8M.
Methodology
The two rather deeply probing and expensive attacks were successfully completed with simple phishing emails with attachments. The user opens the email, clicks on the link or opens the attachment, and potentially the IR (Incident Response) Team and other operations have a long day and/or weekend. With the first attack, the initial compromised computer compromised another. This second computer accessed the STAR Network. This is managed by First Data and is used to manage the debit card, transactions, customer accounts, and the use of ATM and bank cards.
With the compromised computer, the attackers had the ability to disable and modify the anti-theft, and anti-fraud protections. This included the PIN, withdrawal limits for the individual person, daily usage, maximums for the debit cards, and fraud score protections.
The interesting twist is either by luck or learning from the 1st attack, the attackers also gained access to Navigator. Navigator was used by the bank to manage their customer’s debits and credits.
During the compromise #2, the attacker credited the bank ’s client accounts for $1,833,984 from several hundred ATMs. The second compromise also occurred over a weekend, between January 7-9, 2017. To make matters worse, the attackers updated for their needs or removed the bank’s critical security controls.
For the second compromise, Verizon was contracted for the forensic review. Verizon noted this was probably done by the same attackers, and the method for entry was the malicious Word document attached to the phishing email.
Cyber-Insurance
The bank did have cyber-insurance in place and in force at the time of the attacks. The insurance company was Everest National Insurance Company. Once the claim(s) had been filed, the insurance did not want to pay. There were two exclusions, and the insurance company claimed this fell under their Debit Card rider. The bank then filed a lawsuit in the Western District Court of Virginia, Roanoke Division (Civil Action No 7:18CV310).
Lessons Learned
Cybersecurity presents a new environment for the enterprise to thrive in. One aspect that is particularly new is cyber-insurance. The insurance industry is still working to detail the working, interpretation, and the method on how to apply this. In purchasing this service and insurance, the business needs to be wary and complete the due diligence, so senior management is aware of the coverage, as much as they are able to.
One aspect to fully explore is the exclusion riders. These, when possible, should be minimized in number. Where these are required, any ambiguity in the wording should be explored and detailed, while being documented. With this, any ambiguities should be limited. Notwithstanding a section to the contrary, the emails and other documents should fill in the gaps.
With the exclusions, this would work to limit the insurance company’s exposure to certain attacks. The industry may not know of a certain attack or one that had not been published yet. The attack vector may not be known yet. The business may be waiving their right to coverage for an unknown attack, or one that had not been created yet.
The business should actively consider consulting with an attorney specializing in this area with regard to the cyber-insurance policy and rider. The agreement and insurance rider are written with the insurance company’s interests in mind. The sections and riders may be vague where needed, and be able to apply exclusions where they may need it.
Insurance works, in theory, and practice, by pooling risk. The pool consists of individual policies. The insurance companies use large mathematical formulas to determine what factors to take into account. The larger the pool, assumptively the less overall risk, fewer claims, and subsequently larger profits. If there are too many claims, the insurance company’s profits will be lower. The organizations are profit driven, and not an altruistic entity.
Even if the organization follows industry standards and recommendations, there may be issues. The InfoSec environment is ever-changing. There are new attacks, updated old attacks, nuances, or old issues never fixed. To anticipate every issue and attack angle is not possible.
Phishing continues to be a rather viable attack vector. These can be skillfully crafted, with the business symbols and graphics. All it takes is one person in the right department (e.g. accounting, finance, tax, or Human Resources) clicking on one link and the business operations can get very interesting, very quickly. The phishing training needs to be regular, and relevant.
Resources
Krebs, B. (2018, July 18). Hackers breached virginia bank twice in eight months, stole $2.4m. Retrieved from https://krebsonsecurity.com/2018/07/hackers-breached-virginia-bank-twice-in-eight-months-stole-2-4m/
Alaska DHSS Breach: Trouble in the North
Most states have an agency, under various names, whose responsibility is to assist the citizens and the public when this is needed. This may be in the form of financial assistance, vouchers, or a combination of these. As part of the duties, the staff have to collect data on each person. This is part of the natural standard operating procedure for the service. This personal data has value in various circles.
A recent issue involves the state of Alaska’s Division of Public Assistance. On April 26 or 30, 2018, a Division of Public Assistance was found to have an unauthorized program on it. Normally, this is not the optimal situation, however, this does happen. The opportunity for an issue increases substantially when the program/software was not only unauthorized but unintentional. In this case, the company just happened to be infected with Zeus. Zeus, curiously enough, was coded to steal confidential, sensitive information from the infected system. This data and information were exfiltrated to systems in Russia.
This data included the person’s name, date of birth, social security number, pregnancy status, death records, health billing, driver’s license number, phone number, and Medicaid/Medicare billing codes for those estimated 500 persons affected, living throughout northern Alaska. This basically included most of the data you would need to take over someone’s identity.
The attack vector for this generally has been from a phishing email. The sender historically has been from a government agency or large corporation. The agency did report this, as required by Federal statute, and published a press release on the internet.
Lessons to be Applied
With organizations consisting of multiple sites, the lack of complete communication can provide for certain issues. This hindrance should however not be a roadblock. As an example, after the Western Region detected the compromised system after the incident response was nearly or completely done, a follow-up announcement should have been made and training now and with regularity to reinforce what can happen when staff simply clicks. This example of what occurred in the region and also what people will now have to go through should provide the real-life examples to motivate people to do better. This would reinforce what can actually happen
Resources
Brooks, J. (2018, June 28). Security breach: Hackers access alaskans’ information from computer. Retrieved from http://juneauempire.com/news/state/2018-06-28/security-breach-hackers-access-alaskans-information-state-computer
Downing, S. (2018, June 28). State security breach put public assistance info at risk. Retrieved from https://mustreadalaska.com/state-security-breach-put-public-assistance-info-at-risk/
Freed, B. (2018, June 29). Alaska public assistance agency disclosed data breach from trojan horse virus. Retrieved from https://statescooop.com/alaska-public-assistance-agency-discloses-data-breach-from-trojan-horse-virus
Kirby, D. (2018, June 28). Alaska DHSS data stolen in april hack. Retrieved from http://www.ktuu.com/content/news/Alaska-Dept-of-Health-and-Social-Services-data-targeted-in-April-hack-486879811.html
State of Alaska Department of Health & Social Services. (2018, June 28). HIPAA and APIPA breach notification. Retrieved from http://dhss.alaska.gov/News/Documents/press/2018/2018-HIPAA-Breach.pdf
A recent issue involves the state of Alaska’s Division of Public Assistance. On April 26 or 30, 2018, a Division of Public Assistance was found to have an unauthorized program on it. Normally, this is not the optimal situation, however, this does happen. The opportunity for an issue increases substantially when the program/software was not only unauthorized but unintentional. In this case, the company just happened to be infected with Zeus. Zeus, curiously enough, was coded to steal confidential, sensitive information from the infected system. This data and information were exfiltrated to systems in Russia.
This data included the person’s name, date of birth, social security number, pregnancy status, death records, health billing, driver’s license number, phone number, and Medicaid/Medicare billing codes for those estimated 500 persons affected, living throughout northern Alaska. This basically included most of the data you would need to take over someone’s identity.
The attack vector for this generally has been from a phishing email. The sender historically has been from a government agency or large corporation. The agency did report this, as required by Federal statute, and published a press release on the internet.
Lessons to be Applied
With organizations consisting of multiple sites, the lack of complete communication can provide for certain issues. This hindrance should however not be a roadblock. As an example, after the Western Region detected the compromised system after the incident response was nearly or completely done, a follow-up announcement should have been made and training now and with regularity to reinforce what can happen when staff simply clicks. This example of what occurred in the region and also what people will now have to go through should provide the real-life examples to motivate people to do better. This would reinforce what can actually happen
Resources
Brooks, J. (2018, June 28). Security breach: Hackers access alaskans’ information from computer. Retrieved from http://juneauempire.com/news/state/2018-06-28/security-breach-hackers-access-alaskans-information-state-computer
Downing, S. (2018, June 28). State security breach put public assistance info at risk. Retrieved from https://mustreadalaska.com/state-security-breach-put-public-assistance-info-at-risk/
Freed, B. (2018, June 29). Alaska public assistance agency disclosed data breach from trojan horse virus. Retrieved from https://statescooop.com/alaska-public-assistance-agency-discloses-data-breach-from-trojan-horse-virus
Kirby, D. (2018, June 28). Alaska DHSS data stolen in april hack. Retrieved from http://www.ktuu.com/content/news/Alaska-Dept-of-Health-and-Social-Services-data-targeted-in-April-hack-486879811.html
State of Alaska Department of Health & Social Services. (2018, June 28). HIPAA and APIPA breach notification. Retrieved from http://dhss.alaska.gov/News/Documents/press/2018/2018-HIPAA-Breach.pdf
MyHeritage breach: Those are my credentials!
The attackers are consistently looking for a business’ crown jewels to exfiltrate. Data, in general, tend to be the target with these attacks. Once secured, the attackers may sell, or use this for their own advantage. Of particular interest in the last few years has been a person’s DNA and family history.
This service has grown in use as people may not know their family history. They want to gain a greater grasp of their heritage. The DNA test is a tool to gain a portion of this information.
Target
There are a number of services to get this data for the consumer. One of these is MyHeritage, a web-based genealogy and DNA testing service. As the tenants send in the DNA samples, and these are processed, the business keeps the data on their servers. The attack targeted their business user’s login credentials and used this for the various malicious ends.
Attacks
The system where the data was held was compromised on October 26, 2017. The attackers were able to exfiltrate email addresses and hashed passwords. These were held on a private server, not under the company’s control. There were over 92M affected users. Fortunately, the DNA report results were stored on a different system. This other system had more defences in place. The business had not detected how this was done.
Post-Attack
The business did not know the attack’s method or the business had been compromised. The business was notified by a non-associated security researcher. The third party researcher noted they detected a file was located on a private server. There had been no evidence yet the data itself had been used for malicious purposes. After the attack, in an attempt to increase the defence, TFA (two-factor analysis) was implemented at a quicker pace.
Resources
Afifi-Sabet, K. (2018, June 6). MyHeritage suffers massive data leak affecting 92M users. Retrieved from http://www.itpro.co.uk/data-breaches/31254/myheritage-suffers-massive-data-leak-affecting-92m-users
Chalfant, M. (2018, June 5). Genealogy platform says hackers stole data on 92M users. Retrieved from http://thehill.com/policy/cybersecurity/390799-genealogy-platform-says-hackers-stole-data-on-92m-users
Monday, August 6, 2018
Android Phones and Pre-Loaded Adware: Not a Good Combination
Generally, when a consumer purchases their new smartphone, the routine is set. The phone is purchased, the consumer is rather exuberant, and the phone is used, while the user assumes all is fine. In certain instances, the users have a surprise.
Avast Threat Labs recently detected adware pre-installed on phones. The affected phones are vast, as a few hundred models and versions are affected. The targeted phones were manufactured by ZTE, Archos, and others. The adware placed on the phones was known to be present for over three years and previously was named Cosiloon. Cosiloon has tended to be difficult to remove from the phone as the adware is placed on the firmware level and applies solid obfuscation.
The annoying addition to the baseline Cosiloon displays an ad in the form of an overlay on the user’s selected webpage. With this being difficult to remove, Google has opted to increase the awareness of the issue by contacting the appropriate firmware engineers and developers.
The deeper issue involves the intentional placement of the adware on the phones, to the detriment of the user, and without their express consent. The standard operating procedure is not appropriate. If the user accepts and knowingly authorizes this, the issue is moot. This is however not the case. The manufacturers may be gaining an additional revenue by placing the adware on the phones. This business practice should cease.
Avast Threat Labs recently detected adware pre-installed on phones. The affected phones are vast, as a few hundred models and versions are affected. The targeted phones were manufactured by ZTE, Archos, and others. The adware placed on the phones was known to be present for over three years and previously was named Cosiloon. Cosiloon has tended to be difficult to remove from the phone as the adware is placed on the firmware level and applies solid obfuscation.
The annoying addition to the baseline Cosiloon displays an ad in the form of an overlay on the user’s selected webpage. With this being difficult to remove, Google has opted to increase the awareness of the issue by contacting the appropriate firmware engineers and developers.
The deeper issue involves the intentional placement of the adware on the phones, to the detriment of the user, and without their express consent. The standard operating procedure is not appropriate. If the user accepts and knowingly authorizes this, the issue is moot. This is however not the case. The manufacturers may be gaining an additional revenue by placing the adware on the phones. This business practice should cease.
Wednesday, August 1, 2018
More Problems for the city of Atlanta
The city of Atlanta operations had been severely crippled and pwned in March 2018, arising from a rather serious and in-depth ransomware attack. This successful attack made the city of Atlanta operations very difficult. The city is still working to recover from this (https://www.helpnetsecurity.com/2018/06/08/wi-fi-phishing-attacks/). On the tail of the issues being remediated, another attack is passively underway. A security firm has detected hundreds of WiFi phishing sites activelyInfoSec, information security, cybersecurity, cyber-security, defenses, static defenses working. Surprisingly these are located not only proximate to the city hall, but also inside of the building. The research firm also detected active attacks in the Georgia State Capital. This is located merely a few blocks away from the Atlanta City Hall.
The attack was detected by the Coronet Secure Cloud Platform. The specific phishing attacks included Evil Twins, Captive Portals, and ARP Poisoning.
This instance brings up the importance of defensive measures. A static, flat defense is not a workable solution presently. The attackers will utilize the most current methods, pivoting to which method works the best for the circumstance. This does come at a cost, however, this is much better than the costs and expenses associated with breaches.
The attack was detected by the Coronet Secure Cloud Platform. The specific phishing attacks included Evil Twins, Captive Portals, and ARP Poisoning.
This instance brings up the importance of defensive measures. A static, flat defense is not a workable solution presently. The attackers will utilize the most current methods, pivoting to which method works the best for the circumstance. This does come at a cost, however, this is much better than the costs and expenses associated with breaches.
Static InfoSec Does Not Work Well
Attacks on the enterprise and embedded systems are not slowing down. These are increasing as the attacks are expanding the sophistication, the number of attacks is growing in numbers, the attackers have modified their activities to a business model, and the notoriety associated with an attack has increased the publicity with these. As an increase in the issue’s potency, these attackers are located across the globe.
The mainstream, present response is to put the defensive architecture in place, monitor the SIEM, and respond if there is an issue (e.g. attacker’s successful phishing attack). An immense amount of trust is placed into these appliances to monitor and protect the enterprise. This static thinking has not and will not be acceptable in the future against advanced attackers.
The security operations command (SOC) is under an increasing level of pressure from management and the attackers. This is budgetary from inside sources and external from the seemingly daily attacks, both old and new from attacks not experienced previously. To defend against these using the static security architecture, not consistently updating the applications and tools, looks to create and further problems for the CISO and business.
The InfoSec Architect, to adequately protect the system, has to be flexible and creative. These simple acts would work to directly keep pace with the attackers on various activity and technology levels. Without this in place, then the enterprise would be maintaining the security put in place years prior (e.g. bronze age tools) against an enemy using the current attack technique (e.g. iron age tools).
The enterprise needs to keep pace, or this will continue to be breached and compromised regularly and with ease.
The mainstream, present response is to put the defensive architecture in place, monitor the SIEM, and respond if there is an issue (e.g. attacker’s successful phishing attack). An immense amount of trust is placed into these appliances to monitor and protect the enterprise. This static thinking has not and will not be acceptable in the future against advanced attackers.
The security operations command (SOC) is under an increasing level of pressure from management and the attackers. This is budgetary from inside sources and external from the seemingly daily attacks, both old and new from attacks not experienced previously. To defend against these using the static security architecture, not consistently updating the applications and tools, looks to create and further problems for the CISO and business.
The InfoSec Architect, to adequately protect the system, has to be flexible and creative. These simple acts would work to directly keep pace with the attackers on various activity and technology levels. Without this in place, then the enterprise would be maintaining the security put in place years prior (e.g. bronze age tools) against an enemy using the current attack technique (e.g. iron age tools).
The enterprise needs to keep pace, or this will continue to be breached and compromised regularly and with ease.
Subscribe to:
Posts (Atom)