New Devices, Old Problems

 

Technology is a wonderful thing. This has advanced our society, way of life, and enjoyment in so many fields. As a simple example, look at cinema and the movies. Could the current level of CGI be done 15 years ago? Of course not. Also, the form factor for laptops have decreased while the processing power has increased substantially.

With consumers and businesses, the technological advances have increased our demand for new products. This could take the form of watches, fitness trackers, laptops, tablets, or anything with a processor. The replacement of the old technology creates e-waste, requiring recycling.

While this is important there are also risks with this. The information left on these within the hard drives is substantial. Think through the files you have on your hard drive used for personal uses, and all the critical/private information these hold. The files may be photos of your family, tax returns, bank statements, your will or passport, driver’s license, medical information, just to start. If you are a remote worker there may also be work data and documents.

When you replace the old equipment, you need to be sensitive as to this private information. With this in hand, it would be easy enough to work towards identity theft. To mitigate this, you need to sanitize the prior equipment.

The first action item is to back up any information that is important to you. This could be the photos, your resume, or any data you would really miss if you no longer had access to it. This may be done on an external drive, or cloud storage.

If you are logged into any accounts, and had not properly logged out, please do so. This may be email accounts, ride hailing apps, or streaming services. You probably don’t want to share this access or information.

You may have software or services on the laptop. With the new device, you may be able to transfer the software license or service to the new device. This will save you money and the time of re-signing up for these (e.g., AV).

If the device has a SIM or SD card, remove it. There may be documents or other information here you shouldn’t share. This only takes a moment.

Now that you have your important data and information from the equipment, erase the hard drive. To accomplish this, you can do a factory reset.

Lastly, wipe the disk. Granted the factory reset should be fine and work for some people, if you have any concerns, us an app and wipe the drive. Two options for this are Disk Wipe and Active Kill Disk. At this point you are safe to manually destroy the drive. The simplest way is to forcibly apply a hammer to the drive. Remember to wear goggles and gloves.

Thank you.

Services 

Enterprise and Embedded System Cybersecurity Engineering & Architecture

Red Team Pentesting | HW & SW BoMs | CBoM | 

Vulnerability Management | Tabletop Exercises (TTX) | 

Embedded Systems Architecture | Threat Intelligence | 

TARA (Threat Assessment and Remediation Analysis) 

Disabled Veteran Owned and Operated 

 

Yet Another Compromise

 

There are constantly compromises being published across the industries, and many more unpublished for a variety of reasons. Many years ago, the attacks were initiated by people showing their skills and the corporation’s lack of focus on security allowing these exploits. Times certainly have changed. Now this endeavor has been operationalized, streamlined, and become a profit center with an ROI.

Every company is a target for the various attacks. At the heart of most of these attacks is data. This has many uses for the bad actors, from selling to being ransomed. There are no geographic boundaries either. A company in Michigan recently had the opportunity to enjoy this at great length.

HealthEC, LLC, a population health management platform, coupled with Corewell Health. The focus of the work is to identify high risk patients, which is great and beneficial for the patients. The company was recently compromised, leaking confidential data and information on over a million Michigan residents.

The data leaked included the patient’s name, address, date of birth, social security number, medical information (e.g., diagnosis, diagnosis code, mental/physical condition, prescription information, and provider’s name), and health insurance information. Just the first four data points being compromised is bad enough (e.g., for identity theft), but add in the medical information and health insurance information, and the successful attackers have a field day. This allows more for the potential for ransomware to come into play.

To accommodate concerns, HealthEC is offering 12 months of credit monitoring and identity protection services through TransUnion. This may sound great, and it is for the first 12 months. Think about what happens after the 12 months. The stolen data, in part, is permanent or could be updated with a quick and easy internet search.

Thank you.

Services 

Enterprise and Embedded System Cybersecurity Engineering & Architecture

Red Team Pentesting | HW & SW BoMs | CBoM | 

Vulnerability Management | Tabletop Exercises (TTX) | 

Embedded Systems Architecture | Threat Intelligence | 

TARA (Threat Assessment and Remediation Analysis) 

Disabled Veteran Owned and Operated 

 

Carmaker's vulnerabilities aren't just with embedded systems

 

Few companies have full vertical integration of their supply chain, meaning most companies require inputs from outside of the company for their products or services. For vehicle OEMs, they require modules or parts from other manufacturers. The supply chain for this may be rather extensive, depending on the unit or vehicle. This includes the hardware and software.

With all these other companies involved in the vehicle business there is bound to be the occasional issue. With all the third parties involved, there will be a problem or several problems somewhere along the supply chain. This has happened before and will certainly happen again. In particular, VW and its subsidiary had the pleasure of addressing this recently.

Customer records, depending on the data, have varying levels of value to the company and third parties with malicious intent. VW had over 3.3M customer records exposed. This incident is not directly their fault. A vendor happened to leave a cache of customer data open on the internet. We all know what happens when you leave data open and available on the internet. This was not left available for a week or two for anyone to peruse through. The data was left open from August 2019 to May 2021, or nearly two years. To make it worse, the customer data was not for a quarter or year, but for five years (2014-2019). That is a large amount of data there to be viewed. This is very usable in many applications. This is not only a cybersecurity issue, but also data science. This would be valuable to VW’s competitors for a variety of uses.

The data itself was collected for VW’s marketing and sales department. This included the customer’s personal information (name, mailing address, email address, and phone number). Also over 90K customers in the US and Canada had loan eligibility information exposed. This also included driver’s license numbers. Of this sample, a small number also had the customer’s date of birth and social security numbers available.

VW informed law enforcement and regulators regarding the issue. They are also working with cybersecurity subject matter experts (SMEs). There is the situation being handled, however the issue is a bit deeper. The supply chain is a requirement in our society. There are few businesses which have full vertical integration. There will be external vendors involved with your product. While the vendors are present and provide their service, the company still should complete their due diligence not only at the beginning of the business relationship, but periodically through the time when there are transactions. By simply checking the box that the work had been examined in years past is not sufficient. Cybersecurity is a constantly changing industry requiring updated monitoring and adjustment.

Police Departments Continue to be Targeted

 

Police departments are interesting. In business operations, you have business data, customer data, and other points to secure. Police departments do have their operational information but these places also hold a treasure trove of data on the crimes in their area (i.e. evidence). This can be on the persons arrested, the crime, crime scene, and associated data. In addition, the police provide critical service for the area they serve.

Due to these factors, police departments have and continue to be targeted. If simply breaking in isn’t enough of an effort, encrypting or exfiltrating their data can be costly to the department. The Azusa police department recently felt the ransomware sting as the department fell victim to this.

The department announced on May 28, 2021 the issue as being compromised by the ransomware attack. The attackers gained access to the data located in the department’s systems. The department did not pay any ransom or fee. The details have not been provided. From the published information, the ransom was based on releasing information versus encrypting the systems.

The data accessed does appear to be PII, unfortunately. In this case, the attackers appear to have access the social security numbers, driver license numbers, California identification numbers on financial accounts or health insurance. The police department recommended to the parties effected to monitor their credit reports, statements for their accounts, and other information for any unusual or suspicious activity.

This is another example of the far-reaching effects of ransomware. Granted the police department was not affected much, however, the persons permanent and long-term information was. If the data was used for unauthorized purposes, correcting this can be difficult and time consuming, not to mention frustrating.

 

Ransomware around the world

 

Everyone needs insurance. This takes various forms, from life, health, disability, and other forms. One firm in this industry is AXA S.A. This is a global firm with vast reach. A huge company of this size certainly has ample data to target. A portion of the network had been attacked with ransomware.

One May 9, 2021 AXA S.A. announced the company policy was not to pay the ransom when there would be a successful ransomware attack. At that point, the company may have created a bit more attention than intended for itself. The company, interestingly enough, was a victim of ransomware right after this. The target was one of its Asia Assistance Divisions. In this case, the division’s information technology services were adversely impacted for Thailand, Malaysia, Hong Kong, and the Philippines and their data accessed. Allegedly, the Avaddon ransomware group was responsible for the successful attack. During the attack, apparently 3TB of data were exfiltrated. This included ID cards, passport, copies, customer claims, reserved agreements, denied reimbursements, payments to customers, contract and reports, customer IDs, bank account scanned papers, hospital and doctor reserved material (private investigation for fraud, and customer medical reports, including HIV, hepatitis, STD, and other illness reports).

Sometimes it is better to just remain in obscurity.

This doesn’t add up: Chartered Professional Accountants Canada Breached!

With most industries, there is a trade association or group. The focus with these is to bring together leaders and members to discuss issues, communicate messages to the membership and be a portal for the industry. Accounting is no different. In the US, we have the AICPA which functions to administer these tasks. This is accomplished is a timely, exceptionally professional manner. Canada is no different in that the accounting industry likewise has this for our northern friends. Another commonality is these are generally targets due to the data they hold for their clients. The Chartered Professional Accountants Canada (CPA Canada) recently found this out, as they were breached.

CPA Canada

Just as the name implies, the organization is involved with Canadian accountants, representing the over 210k members. The organization provides accounting and guidance for its membership. This service is vital for business, accounting firms, and the stock market.

 

Attack

 The organization was unfortunately the victim of a successful phishing attack. The organization on June 3, 2020 notified the affected parties of the breach. Curiously, the organization was aware of the attack on April 24^th, meaning it took over a month to notify the persons. The organization will not be disclosing the methodology used in the attack. On a level, this is understandable. The organization may not want the details published as these may be used in other attacks as indications of their security posture. After the issue is corrected though, this could be used as a learning tool or use case for others.

 

Data

CPA Canada definitely held useful information for the attackers to focus on. This included the member's personal information. This included their contact details (names, addresses, email addresses, and employer name). The passwords and credit card numbers, fortunately, were encrypted. The list of persons was primarily composed of the CPA Magazine subscribers. This wasn’t just on the members, but also the stakeholders, totaling over 329k persons.  Granted the data involved was confidential. However, this could have been much worse if the other data was not encrypted, or if the attackers were able to pivot from this point and gain access elsewhere.

 

Post-Breach

The organization has notified its members and others whose data was affected, of the breach. The members and stakeholders were recommended to change their passwords. The organization is also working with cybersecurity personnel to verify the system is secure and exactly what data was copied from them. In addition, they naturally also contact the appropriate law enforcement, the Canadian Anti-Fraud Centre, and other privacy authorities.

 

One point from this to be used is phishing continues to and will be for the foreseeable future, an absolutely viable attack. This has proven to be successful and will not slow down. The organizations need to continue training for this with their employees. The system may be completely secure, however, all it takes is the right person in the right department to click the link, attachment, etc., and we are off to the races.

 

References

Solomon, H. (2020, June 4). Canadian accounting association website gets hacked. Retrieved from https://www.itworldcanada.com/article/canadian-accounting-association-website-gets-hacked/431712

 

Solomon, H. (2020, June 8). Canadian accounting association website gets hacked. Retrieved from https://business.financialpost.com/technology/tech-news/canadian-accounting-association-website-gets-hacked

 

The Canadian Press. (2020, June 4). Canadian accountants’ association suffers cyberattack; data of nearly 330k affected. Retrieved from https://globalnews.ca/news/7025862/cpa-canada-accountants-cyberattack/

 

The IJ Staff. (2020, June 4). CPA Canada hacked, subscriber information exposed. Retrieved from https://insurance-portal.ca/article/cpa-canada-hacked-subscriber-information-exposed/

 

Sberbank Breached

Banks are located throughout the world. They perform vital services for consumers and commercial organizations in every country they are located in. These are also connected with the respective nation’s banking systems. Another commonality is these hold a mass amount of data also. This is very attractive to the attackers for many reasons. This is also a concern for the consumers, as their personally identifiable information (PII) is in the hands of unauthorized persons. Sberbank is was targeted and data removed without their authorization. Sberbank is Russia’s largest bank, with 45% of all retail deposits within their bank and 41% of the consumer loans held. In this instance, the Russian state owns the controlling stake in the bank.

Attack

Obviously, the attack was successful, which is a problem. The organization estimates the breach occurred near the end of August 2019.  The cause of this breach is unfortunately somewhat common, in the US and abroad. With employees, there is always the chance of the internal threat with the disgruntled, greedy, or unhappy employee. In this case, the bank is reporting the breach of data was due to an employee’s intentional acts. The bank noted it has to be an internal employee due to the data’s location being impossible to breach.

Later, the speculation ended when the bank reported the attacker had been apprehended. During the investigation, the employee had been focused on and eventually confessed. The employee was the head of one of the bank’s divisions. As part of their role, they had access to databases as part of their position, which explains how this was exfiltrated given the data’s remote location and access.

Data

With the attack, millions of Sberbank’s customer's personal data was allegedly initially leaked. Fortunately for the affected persons, the target was the data. The funds in the affected person’s account(s) were not targeted. The bank initially estimated 60M Sberbank credit cardholders have had their personal data stolen and was for sale on the dark web. This estimate appears to have been a bit inflated, and the true number was far less, possibly as low as 5k. The last reported sales price per entry at $0.08/record.

Surprisingly, the data leak and data for sale was not noticed by the bank. For instance, even if the amount of data was the 5k of records, seemingly this would have triggered some form of an alarm. After all, even a division manager probably would not have a need to download 5k individual records. Their position would be more engaged with summaries and forward-looking goals. This oversight was noticed by DeviceLock Cybersecurity, a cybersecurity organization when they noticed the data for sale on the dark web. At times, the seller may make fantastic claims of the data composition for sale. In this case, however, a sample of 200 credit card holder’s data was verified, indicating this is real. The data liberated in this case included the credit card details excluding the three-digit CVV, and place of employment for the last ten years. While the affected persons do have a bit of good news with the CVV not being a part of this, they may still have been targeted for fraud due to the nature of the data itself.

Follow-Through

After the bank was notified, they contacted reported this and is working closely with law enforcement and the Central Bank of Russia to find the culprits. As noted, this was beneficial as the

Resources

Auyezov, O., & Lyrchikova, A. (2019, October 3). Russia’s sberbank investigating potential client data leak. Retrieved from https://www.reuters.com/article/us-sberbank-russia-dataprotection/russias-sberbank-investigating-potential-client-data-leak-idUSKBIN1@i0Wl

Hinchliffe, R. (2019, October 9). Russia’s sberbank catches internal culprit of data leak. Retrieved from https://www.fintechfutures.com/author/hinchliffer/

Leprince-Ringuet, D. (2019, October 4). Russia’s sberbank investigates credit card data leak. Retrieved from https://www.zdnet.com/article/russieas-sberbank-investigates-credit-card-data-leak

Ljubas, Z. (2019, October 19). Russia: Huge data leak hits sberbank. Retrieved from https://www.occrp.org/en/daily/10797-russia-huge-data-leak-hits-sberbank

PMNTS. (2019, October 4). Russia’s sberbank investigating potential client data leak. Retrieved from https://www.pymnts.com/news/security-and-risk/2019/russias-sberbank-investigating-cleint-data-leak/

Spadafora, A. (2019, October 3). Russia’s sberbank hit with huge data leak. Retrieved from https://www.techradar.com/news/russias-sberbank-hit-with-huge-data-leak

The Moscow Times. (2019, October 3). Sberbank hit by huge data breach. Retrieved from https://www.themoscowtimes.com/2019/10/03/sberbank-hit-by-huge-data-breach-a67570

The Moscow Times. (2019, October 3). Sberbank hit by huge data breach. Retrieved from https://www.wedn.com/2019/10/03/sberbank-hit-by-huge-data-breach/

Walker, J. (2019, October 8). Sberbank of Russia completes investigation into the dark web data leak. Retrieved from https://portswigger.net/daily-swig/sberbank-of-russia-completes-investigation-into-dark-web-data-leak  

Spartans compromised: MSU breached

Michigan State University (MSU), located in East Lansing, Michigan, is one of the premier institutions in the Midwest. This is a 5,300-acre campus with 563 buildings, with nearly 20,000 cares throughout Michigan used for agricultural and natural resources research and education. In Fall 2019, there were 49,809 students. With such a large number of students, the amount of data generated by the students and administration staff is massive year after year. This data, including the confidential data from the students, provided a significant target for the attackers. This proved to draw these persons to the University’s servers and data.

Attack

Ransomware has been a nasty part of our environment from the last few years. This is a good attack tool due to its low operational overhead and potential large payoff. With this mode, it simply takes the right person in the right department to click on the malware or link. Unfortunately for MSU, the tool was used against the university successfully. The attackers were able to breach the network, access the targeted data, and exfiltrate this. The attackers have demanded a ransom to be paid within a week of the successful attack or they will publish the stolen files. If the university happens not to pay the ransom, the attackers are willing to leak the documents.

Data

The university believes, but is not certain, that the breach and subsequent intrusion was to one (1) isolated unit on the campus. While this is a good thing, the breach itself is still an issue. The files included student, e.g. passport scans, and other private, confidential data, along with university financial documents.

Attackers

The attackers apparently used Netwalker, sometimes referred to as Mailto, ransomware. The ransomware variant was coded to attack the enterprise, in comparison to individual user stations. With this ransomware variant, once the clock runs down to zero, the data and the decrypt key are automatically published.

Mitigation

This is a rather significant issue. There is a prominent university pwned, and their data is being held for ransom. After this was detected, the IT Department took offline the affected systems and servers. This was done to prevent further exposure. MSU’s IT Department notified law enforcement, including the MSU Police Department and Michigan State Police, of the successful attack and threats to begin the investigation.

The latest successful attack is yet another clear indication that we need more cybersecurity training that is relevant. Without this, these attacks will continue to be successful and cause an abundance of harm to the organization, staff, and other parties as part of the collateral damage.

Resources

Cimpanu, C. (2020, May 28). Michigan state university hit by ransomware gang. Retrieved from https://www.zdnet.com/article/michigan-state-university-hit-by-ransomware-gang/

Dissent. (2020, May 28). Michigan state hit by ransomware threatening leak of student and financial data. Retrieved from https://www.databreaches.net/michigan-state-hit-by-ransomware-threatening-leak-of-student-and-financial-data/

Freed, B. (2020, May 27). Michigan state hit by ransomware threatening leak of student and financial data. Retrieved from https://edscoop.com/michigan-state-hit-by-ransomware-threatening-leak-of-student-and-financial-data/

Guzman, W. (2020, May 28). Michigan state target of ransomware attack threatening to release university data. Retrieved from https://statenews.com/article/2020/05/michigan-state-target-of-ransomware-attack-threatening-to-release-university-data?ct=content_open&cv=cbox_latest

Marowski, S. (2020, May 28). Ransomware attack threatens to release stolen Michigan state university files. Retrieved from https://www.mlive.com/news/jackson/2020/05/ransomware-attack-threatens-to-release-stolen-michigan-state-university-files.html

Michigan State University. (n.d.). MSU facts. Retrieved from https://msu.edu/about/thisismsu/facts.php

U of U Compromises-Uh Oh

The University system tends to focus on research in specific disciplines. These may be business, psychology, sociology, criminal justice, medical, or any of the other areas within the University system. While the staff is fulfilling their tasks, the IT area of operations is continuously working to detect attacks and put in place mitigations to reduce the opportunity for a breach. This is a daunting task for many reasons. One such target was the University of Utah Health system. The organization was unfortunately breached at least twice recently.

Attack

The system is deluged with attacks and the beginning stages of attacks, just like any other medical facility. Unfortunately, two of these recently were successful.

The first was from January 22 through February 27, 2020. This successful attack was focused on email accounts. During this period there was an unauthorized access to a portion of the University of Utah Health staff email accounts. This was accomplished through the infamous phishing attack. This attack vector is so successful with such little capital or effort, this is bound to not slow down.

The second known successful attack was in the form of malware on a system. This was detected on February 3, 2020. Once this was found, the University of Utah Health contacted a third-party cybersecurity organization to assist them with the investigation. This investigation noted the malware may have been able to access a portion of the patient’s data, which was located in the respective employee’s email.

Data

With both of these noted successful attacks, the commonality was an unauthorized access to patient data. With these breach instances, the patient data may have included the patient name, date of birth, medical record numbers, and a limited amount of treatment information.

Post-Attack Actions

The investigation into the attack was not a simple review of logs. The compromises were alleged of a complex nature and of a highly technical nature. This is not an unusual statement by the University of Utah Health. If they were to state the attack was exceptionally simple, the management would be having additional issues from many other parties, including potentially the federal government, attorneys, and others.

The organization is also mailing letters to the affected patients. This is the standard protocol. To lower the potential for this to occur again, the organization is updating InfoSec procedures with the employees. This may or may not be successful, based on the implementation. If after a few months, the management does not reinforce the idea of cybersecurity, any lessons learned will fall by the wayside.

Looking Forward

This is yet another case of where training needs to be done through the year, insightful, and have some level of entertainment. Without this in place, the organizations will continue to be reactive post-breach, instead of pro-active to minimize the potential for a breach. Having known the method for the phishing attack would have been a great step forward. The industry could have learned from this and tailored other’s training to avoid this issue.

Resources

Bennett, L. (2020, March 21). University of Utah health says some patients’ data compromised in ‘phishing’ security breach. Retrieved from https://www.ksl.com/article/46732931/university-of-utah-health-says-some-patients-data-compromised-in-phishing-security-breach

DeWitt, K. (2020, March 20). U of U health announces phishing schemes caused unauthorized access to some employee accounts. Retrieved from https://www.abc4.com/news/top-stories/u-of-u-health-announces-phishing-schemes-caused-unauthorized-access-to-some-employee-email-accounts/

Roberts, A. (2020, March 21). Hacked: Some patient information compromised in U of U Health breach. Retrieved from https://kutv.com/news/local/some-u-of-u-health-patient-information-may-be-compromised-in-data-breach

Watch for supply chain management vulnerabilities

Blue Cross Blue Shield of Michigan is a medical insurer located in MI. Their clients are varied, work for employers- small to large-sized, and are located through the state.

Issue

BCBS uses contractors for various roles throughout the company. One vendor is COBX Co. COBX is a wholly-owned subsidiary of BCBS. The subsidiary is tasked with the Medicare Advantage Services for its clients. An employee of COBX had their laptop stolen on October 26, 2018. BCBS of Michigan notified approximately 15,000 Medicare Advantage members of a potential breach. The notification was done via letter. While this is not a good thing, it is pertinent that at least the laptop was encrypted and did have the password required. Normally, this would be fine if the encryption was above a certain baseline protocol. The problem was the employee’s credentials could have been compromised, meaning the person with the laptop would still be able to access the data.

Data

The affected BCBS customer’s social security numbers and financial information was not accessible from the stolen laptop, fortunately. The data that was available was includes the customer’s first name, last name, date of birth, gender, medication, diagnosis, provider information, and enrollee identification numbers.

Remediation

There had been no direct evidence the customer’s data had been accessed. With this type of issue, although there is no direct type of evidence of this being used for malicious means, it does not mean it has not been used and no guaranty it won’t be used in the near future. BCBS of Michigan noted there is a low chance of identity theft due to the nature of the data involved. BCBS is offering the affected parties AllClearID identity protection services. The term for this service is two years and is free to the customers potentially at risk. The contractor involved did have his credentials changed once the issue came to light. BCBS of Michigan is working with COBX in reviewing its policies and procedures. They are also putting additional safeguards in place.

Comments, Concerns, etc.

The laptop required a password for access and was encrypted, which required another password. Normally, this may be a non-issue, as with most industry-accepted encryption protocols to brute force this or decrypt the data would require several lifetimes. Due to the announcement with the notice of the contractor’s credentials may have been compromised, this nearly leads me to believe the credentials may have been openly accessible as in written on a post-it note on the laptop or otherwise easily acquired.

Resources

BCBS of Michigan. (2019, January 2). Data breach affects 15,000 medicare customers of blue cross blue chield of Michigan. Retrieved from https://www.cisomag.com/data-breach-affects-15000-medicare-customers-of-blue-cross-blue-shield-of-michigan/

Dissent. (2019, January 3). Double whammy: BCBS of Michigan policyholders hit by two breaches in December. Retrieved from https://www.databreaches.net/double-whammy-bcbs-of-michigan-policyholders-hit-by-two-breaches-in-December/

Haefner, M. (2018, December 31). BCBS of Michigan: Data breach may have affected 15,000 medicare members. Retrieved from https://www.beckershospitalreview.com/player-issues/bcbs-of-michigan-data-breach-may-have-affected-15-000-medicare-members.html

HIPAA Journal. (2018, December 31). 15,000 customers notified about blue cross blue shield of Michigan data breach. Retrieved from https://www.hipaajournal.com/15000-customers-notified-about-blue-cross-blue-shield-of-michigan-data-breach/

Livengood, C. (2018, December 28). Blue cross alerts 15,000 medicare customers of potential data breach. Retrieved from https://www.crainsdetroit.com/insurance/blue-cross-alerts-15000-medicare-customers-potential-data-breach

Misconfigured servers can give you a headache

The local, state and federal governments collect massive amounts of data from its citizens. There are massive data centers whose only function is to hold the data. While these secure the data, there are numerous attacks daily, ranging from the simple scans to the far more advanced. One of these states is Oklahoma, who had a notable issue. The Oklahoma Department of Securities is tasked with protecting investors.

Issue

This year a research team (The UpGuard Data Breach Research Team) detected a server, which was insecure. This occurred on December 7, 2018. The server happened to have millions of files open to the public. The server was registered to the Oklahoma Office of Management and Enterprise Services (OMES). This was however actually owned by the Oklahoma Department of Securities. The server contained 3TB and millions of files fully, openly accessible. This was open possibly since at least November 2018 through the detection date.

Data

The data was located on a rsync service that was not secured. Rsync is generally used to synchronize files across systems. A person’s data can be very sensitive and provide information to unauthorized parties the person does not want provided. The data, in this case, involved a list of persons with a specific ailment, FBI investigation details, and other PII. This also had credentials and social security numbers for over 10K brokers in one of the databases. The credentials could have been used for remote access to the Oklahoma Department of Securities workstations. The earlier records noted were from 1986.

Remediation

As noted, the server with cybersecurity issues was detected on December 7, 2018. The owner was notified on December 8, 2018. Fortunately for the person whose data was on the system, the public access was removed immediately. They are working with a forensic team in conducting an investigation. The government was very responsive and responsible for taking care of this. They did not wait for an extended period of time to act on the issue.

Lessons Learned

This is a rather unusual set of circumstances, nearly a trifecta. The issues compounded on each other. The servers were openly accessible by anyone, the data on the server was not encrypted, and it appears they had not been using TLS keys and certificates. In the very least the data at rest should have been encrypted and TLS enabled. There are basic and uncomplicated measures to ensure there are no issues. It is curious how this was configured incorrectly and passed their internal checks. Allegedly the breach occurred while a firewall was being stalled. While a good standard operating procedure, it should not have taken at least a week to implement. This issue emphasizes the need for timely work and proper configurations for systems.

Resources

Denwalt, D. (2019, January 17). Oklahoma government agency left millions of files unsecured, including sensitive data, cybersecurity team finds. Retrieved from https://www.tulsaworld.com/news/state-and-regional/oklahoma-government-agency-left-millions-of-files-unsecured-including-sensitive/

Dissent. (2019, January 16). Massive Oklahoma government data leak exposes 7 years of fbi investigations. Retrieved from https://www.databreaches.net/massive-oklahoma-government-data-leak-exposes-7-years-of-fbi-investigations/

Mikelionis, L. (2019, January 17). FBI records, emails, social security numbers exposed in massive data leak, security experts say. Retrieved from https://www.foxnews.com/tech/oklahoma-government-data-leak-exposed-fbi-investigations-emails-dating-back-17-years-social-security-numbers

O’Donnell, L. (2019, January 16). Millions of Oklahoma gov files exposed by wide-open server. Retrieved from https://threatpost.com/oklahoma-gov-data-leak/140936

Osborne, C. (2019, January 17). Oklahoma government data leak exposes fbi investigation records, millions of department files. Retrieved from https://www.zdnet.com/article/oklahoma-gov-data-leak-exposes-millions-of-department-files-fbi-investigation

The Associated Press. (2019, January 17). Firm: Oklahoma securities agency’s computer files breached. Retrieved from https://www.thestate.com/news/business/national-business/article224681545.html

Yet another AWS issue! Capital One breached

Capital One-Yet Another Breach

Charles Parker, II

#

There is a saying that we are our own worst enemy. While we may have the best intentions, at times we may create our own issues which act to our own detriment. This has been notable with a single-use case. The focal point has been with AWS and misconfigured servers. This has created so many issues for the data owners and managers. The latest victim is Capital One due to its misconfigured AWS. This certainly won’t be the last incident through the industry.

Breach

To note this was massive would be an understatement. This is one of the biggest data breaches involving a financial services company. There were 106M persons involved. The affected persons were not only in the US, however, were also located in Canada. The breach was open for an extended period of time, from March 19 through July 17, 2018.

Method

The focal point for the attack was the cloud servers rented from AWS. There was an issue with the cloud configuration. The attack was exceptionally successful due to a misconfigured WedApp firewall. The attackers used a special command to extract the files in the Capital One AWS. Oddly, on June 16, 2019, the attacker posted on Twitter exactly how it was done. This was a very odd event. Generally, if you are going to gain unauthorized entry, you don’t want everyone to know exactly who you are. In this case, the attacker did just this.

Data

The data was related to credit card applications filed between 2005 and early 2019. This is a rather large set of time to exfiltrate data for. The attacker accessed credit applications, social security numbers (approximately 40k in the US and 1M Canada social insurance numbers), bank account numbers (approximately 80k), names, addresses, dates of birth, and financial information (e.g. self-reported credit scores). Fortunately, no credit card account numbers or logins were exposed in the breach. Altogether, the total amount of data was approximately 30GB. Somehow, the attacker was able to exfiltrate this data over months, without anyone or an app examining the login or data access for an extended period.

Perpetrator

The FBI has arrested a person in this case. The speedy arrest was greatly due to the attacker letting everyone know who they are, and not trying to hide anything. The attacker previously worked as an Amazon Web services (AWS) engineer. The attacker’s name of record is Paige A. Thompson. Given her lack of intuitiveness, she is certainly a nominee for the Darwin Award. She bragged about the breach and crime on GitHub and social media. She tried to share the data online and not on the DarkWeb. To top off the award nomination, she used her full first, middle, and last name. She also stored the data in a GitHub account for the user “Netcrave”. The GitHub site also happened to have Paige’s resume (oops). She also used the alias “erratic”.

The criminal complaint was filed in the Western District of Washington. The hearing was on August 1, 2019. To further support the allegation with yet more evidence, the FBI executed a search warrant and seized electronic storage devices. The storage devices contained a copy of the data.

Mitigation

The AWS configuration has been corrected. They stated it was not likely the data was used fraudulently. It is very easy to state this, but exceptionally difficult to guaranty. They did promise to provide 12 months of credit monitoring for affected parties. They also are recommending for the affected parties to watch for phishing emails.

Resources

Corcoran, J. (2019, July 30). Former AWS engineer arrested as capital one admits massive data breach. Retrieved from https://threatpost.com/aws-arrest-data-breach-capital-one/146758/

Krebs, B. (2019, July 19). Capital one data theft impacts 106M people. Retrieved from https://krebsonsecurity.com/2019/07/capital-one-data-theft-impacts-106m-people/

McLean, R. (2019, July 30). A hacker gained access to 100 million capital one credit card applications and accounts. Retrieved from https://www.cnn.com/2019/07/29/business/capital-one-data-breach/index.html

U.S. Attorney’s Office. (2019, July 29). Seattle tech worker arrested for data theft involving large financial services company. Retrieved from https://www.justice.gov/usao-wdwa/pr/seattle-tech-worker-arrested-data-theft-involving-large-financial-services-company

NASA servers compromised!

From a young age, we become acquainted with NASA through its missions to the Moon, Mars, Saturn, Pluto, and it’s other missions. The iconic astronauts in their suits have been etched into our minds. In short, space exploration is their mission. While this is their primary focus, and their engineers are very good at this, the organization still needs the other work groups to support this. One of these pertinent workgroups is Info- or Cyber-security. Without this in place with a strong team, there could be immediate issues. In an incident from late 2018, it appears as though not enough attention has been paid to this.

Compromise

The breach occurred in October 2018. Once this was detected, NASA moved to contain the issue, which is a great action to take given the attackers actions. Unfortunately, nothing substantial has been published regarding the method for the attack. Granted NASA would have corrected this already, however, it would have been a great learning experience to understand how this attack leading to a compromise occurred. This would have allowed others to learn from the NASA oversight.

This is not the first time the potential for a compromise has been noted as an issue. For example, in November 2017 the Inspector General noted NASA’s InfoSec issues. In the two years prior to this report, there were over 3k computer security issues and incidents of unauthorized access. Fortunately, there were no missions impacted by this. The number of cybersecurity issues was rather substantial. From a CISO’s perspective, seemingly one would want to start to fix the critical issues and move down the list from this.

Data

The servers targeted unfortunately held PII, which is a bad set of circumstances for the affected parties. This included the social security numbers and other PII data for current and prior NASA employees. This concerns the employees on-boarded from July 2006 to October 2018. This is a rather large number of persons involved.

Notifications

As the employees PII was included, the notification had to be made. The NASA HR Department, on behalf of Bob Gibbs (Assistant Administrator, Office of the Chief Human Capital Offices) forwarded a memo on December 18, 2018. This noted the cybersecurity personnel had started an investigation of their systems, which were compromised. It is notable that the breach occurred in October 2018, yet NASA waited until December 18, 2018, to notify persons. This was intentional, as law enforcement was still investigating and did not want to let the attackers know.

Mitigation

NASA will offer through a vendor identity protection services and other resources. NASA and other federal cybersecurity partners are analyzing the breach for the forensic review. This, however, is only focused on the impacted systems. There may be the same or nearly the same issues on other systems, providing additional opportunity for the attackers. NASA is working, as a result of the compromise, to expand its network penetration testing program, work on a greater number of incident response (IR) assessments, broaden deployment of intrusion detection systems (IDS), and provide a greater level of web application securing scanning.

Resources

Boston, B.A. (2018, December 19). NASA reveals October security breach that exposed employee data. Retrieved from https://www.slashgear.com/nasa-reveals-october-security-breach-that-exposed-employee-data-19558631/  

NASA HQ. (2018, December 18). Potentially personally identifiable information (PII) compromise of NASA servers. Retrieved from http://spaceref.com/news/viewsr.?pid=52074

Vijayan, J. (2018, December 19). NASA investigating breach that exposed PII on employees, ex-workers. Retrieved from https://www.darreading.com/attacks-breaches/nasa-investigating-breach-that-exposed-pii-on-employees-ex-workers/

Misconfigurations abound: This oversight affects 120 million Brazilians

For better or worse, there seem to be more instances of misconfigurations. This may be on servers, AWS, or other targets. The issues range from minor to rather significant (i.e. forgetting about application security and allowing anyone with an AWS account to log in for your instance). At this point, significant misconfigurations really should not be occurring. There are many opportunities and sources to learn from. One such oversight occurred in Brazil. This provided for a massive oversight. Brazil is known for its celebrations. Unfortunately, this country is also becoming known for cybersecurity issues.

Affected

The issue with this particular breach is a misconfigured Apache server with CPF (Cadastro de Pessaoas Fisicas) numbers for nearly 120M Brazilians being exposed. The CPF is their identification number provided by the Brazilian Federal Reserve to Brazilian citizens and taxpaying residents. This is much like the US social security numbers. This number is not optional and is required for the monetary tasks of daily life (e.g. opening a bank account, opening a business, paying taxes, getting a loan, and other functions). The length of time these were exposed is unknown. As no one is sure how long the server was misconfigured, this period could have been a lengthy period. It is notable and odd that this period of time is not able to be estimated. Seemingly there should be a record memorializing when the server was configured.  The data exposed includes the person’s name, birth date, email, phone number, address, employment details, bank account details, loans and repayment history, debit and credit history, voting history, voting registration number, and more. This is a wonderful collection for phishing and to take over someone’s identity for fraudulent uses. To top off the issue, all of this data is able to be sold quite easily on the dark web.

Misconfiguration

The issue was discovered in March 2018. The web server was misconfigured to allow public access. Within its database, the file “index.html”, a default file, was renamed to “index.html_bkp”. For someone viewing the files, this would provide for a point of attention. This caused the webserver to complete a directory listing of the files located within the file. The files ranged in size from 27MB to 82GB. While the researchers at InfoArmor were working to understand who the owner of the server was, so they could be notified, the researchers noted an 82GB file was replaced with a raw 25GB sql file. The file name stayed the same. What may have happened is the directory file was used to store a database backup, and the person creating and configuring this did not understand the files were publicly available.

Notification

The researchers were able to find the email addresses associated with the server, and naturally emailed one of these. The email bounced back with the “User Unknown” response. Two further attempts were done. Finally, the researchers received a reply stating the hosts had contacted their clients about the legal issues with leaving the data exposed. The data, however, remained exposed and wide open for several weeks after this. Later that month, the server was secured.

Thoughts

Once the point of contact for the server was notified, it is curious why this took so long to correct the issue. This required the researchers attempting contact three times and still took several weeks to correct. One question is why the data was on a third-party server. This should not have been the case. This is clearly rather significant confidential and sensitive data. It also is difficult to know who accessed the data and for how long.

Resources

Abrams, L. (2018, December 12). Taxpayer ID numbers for 120 million Brazilians exposed online. Retrieved from https://www.bleepingcomputer.com/news/security/taxpayer-id-numbers-for-230-million-brazilians-exposed-online/

Cyware. (2018, December 13). Misconfigured cloud server exposed taxpayer ID numbers of 120 million Brazilians. Retrieved from https://cyware.com/news/misconfigured-cloud-server-exposed-taxpayer-id-numbers-of-120-million-brazilians-91298892

InfoArmor. (n.d.). InfoArmor reports identification numbers of 120 million Brazilians exposed online. Retrieved from https://cdn2.hubspot.net/nubfs/3836852/PCOs/InfoArmor_Brazilian%20Exposure%20Report.pdf

Muncaster, P. (2018, December 13). Apache misconfig leaks data on 120 million Brazilians. Retrieved from https://www.infosecuritymagazine.com/news/apache-misconfig-leaks-data

S., Gurubaran. (2018). 120 million unique taxpayer ID numbers exposed online from misconfigured servers. Retrieved from https://gbhackers.com/120-million-unique-taxpayer/amp

Lengthy Time to Report Compromise: 8 Months for PHI Theft

Sharecare Health Data Services (SHDS) offers a secure method for electronic exchanges of data. The organization also manages healthcare business medical records. The organization is located in San Diego, CA. 

Compromise 

The attack began with the usual activity detected on June 26, 2018. The detected data was abnormal when compared to the normal baseline. This red-flag began their investigation. The initial analysis was the attackers had breached the defenses. The attackers had gained access to the systems which contained protected health information (PHI). This access may have started at the earliest on May 21, 2018. This unauthorized access includes 18,416 insurance members of  Blue Shield of California. AltaMed patients, approximately 5,767 each, were also affected. The data included a buffet of data the attackers would use and sell. This included the name, address, birth date, unique patient number, address where the health services were provided, internal SHDS processing notes, and medical record numbers. The attackers had unfettered access from May 21, 2018, to June 26, 2018, or over a month. On June 26, 2018, the attackers accessed the data and exfiltrated this to sites overseas. This was reported to the other healthcare organizations directly affected by this on December 31, 2018. Fortunately, the patient’s social security number, financial information, and detailed clinical information were not accessed. 

Notification

The unauthorized access occurred on at least May 21, 2018, and was detected on June 26, 2018. The reporting to the other affected healthcare organizations was December 31, 2018. The notice to the affected patients occurred on February 15, 2019. In addition to the client, the FBI was also notified. 

The notification for the other healthcare organizations was for the breach and potential for the data to have been accessed by these unauthorized parties. From the timeline, the extended period, over five months, for the other healthcare organizations to be notified was odd. There was no reason given for the five-month + reporting period. One of these affected healthcare organizations was AltaMed, with 5,500 of its patients being included in the compromised records pool. Oddly, to add confusion to the rationale, the patients affected by the breach were notified an additional 2.5 months later. 

Mitigation 

After this was detected SHDS contacted with Mandiant, the cybersecurity consultant, to help SHDS with the forensic analysis and review. On a positive note, once this was detected immediate steps were put in place to cease the unauthorized access. SHDS enhanced its security to minimize the potential for further successful attacks. They also revised their data retention policies. The business contracted with a third party to monitor its data systems 24 hours a day, seven days a week. SHDS offered the affected patient’s a year of free credit monitoring and identity theft protection services through AllClear ID. 

Questions/Lessons Learned

With a breach and compromise, time is of the essence. In most cases, it is not prudent to wait for extended periods to report a breach. In this instance, it took over five months to report this to the other healthcare organizations, whose patients were affected by this SHDS issue. Overall, it took nearly eight months to notify the affected patients. This is simply unacceptable. The organization had the list of affected parties and still elected not to inform them in even a remotely timely manner. 

It is difficult to imagine how their InfoSec team did not detect unauthorized access for over a month. It seems as though their SIEM would have detected this well before the mass amount of data was exfiltrated. The issue begs the question, was the SIEM fully integrated into the system, or the filters/scripts not fully utilized? 

Resources

Davis, J. (2019, February 19). Blue shield, altamed patient data breached in business associate hack. Retrieved from https://healthitsecurity.com/news/blue-sheild-altamed-patient-dta-breached-in-business-associate-hack 

Dissent. (2019, February 16). AltaMed, blue shield of california notify patients and regulators after breach at sharecare health data systems. Retrieved from https://www.databreaches.net/altamed-blueshield-of-california-notify-patients-and-regulators-after-breach-at-sharecare-health-data-services/ 

Garrity, M. (2019, April 29). AltaMed alerts 5,500 patients of data breach. Retrieved from https://www.beckershospitalreview.com/cybersecurity/altamed-alerts-5-500-patients-of-data-breach.html 

HIPAA Journal. (2019, February 19). Patients receive notification of PHI theft 8 months after business associate data breach was detected. Retrieved from https://www.hipaa.journal.com/patients-receive-notification-of-phi-theft-8-months-after-business-associate-data-breach-was-detected/ 

University of Alaska Pwned!

Colleges and universities continue to be targeted based on the treasure of data stored in their system. This includes the students, faculty, and administrative staff’s names, addresses, email addresses, social security numbers, and many more data points per person, which are readily marketable on the dark web. While this is required for the university operations, this also has the tendency to bring unwanted attention from attackers, seeking their data. One such university is the University of Alaska. 

Breach

In the recent past, there have been many different attacks used against colleges and universities. In this case, the simplistic email phishing attack was successfully used. This was noticed by the staff when a portion of the users noticed their passwords had changed and there had been unauthorized access. The attackers were able to gain their unauthorized access to names and social security numbers for the students, staff, and faculty. The attack itself took place in December 2016. As with most average or better phishing attacks, the email did appear to be legitimate. The attackers were able to gain access to many accounts though to be secure. These accounts had student and employee information within each. The university was not completely sure if any person’s information was accessed. The university also stated they found no evidence of the emails with sensitive information being directly accessed. 

Notification

The affected parties were significant in number for the University. There were approximately 25,000 students, staff, and faculty members’ data involved with this. The University sent letters to notify the affected students, staff, and faculty at the end of April. 

Mitigations 

On or about March 28, 2018 the review indicated the unauthorized party had accessed the account from January 31, 2018 to February 15, 2018. Once this was detected, the access was terminated and the system locked down. The breach was analyzed and reviewed. The affected persons receiving the notification letter may enroll in the free Identification Theft Loss Reimbursement Insurance Program. The policy insures up to $1M of losses. The persons though, in the case of a loss, are required to prove the loss was due to the breach. This does not sound too difficult. To prove and document this is very difficult given the circumstances. How would one document where exactly the attacker secured the data from? What if there is a loss and the fraudulent acting person cannot be found? To remove the potential for this to occur again, the University was training the staff to be more aware of phishing attacks, better methods to handle and store sensitive and confidential data. 

Questions and Lessons Learned 

 The breach occurred in December 2016. The affected parties were not notified for five months. This gave the attackers five months of time to sell and otherwise work with the data without any interruption. This should have been addressed earlier so the affected persons would have the opportunity to minimize the potential negative effects. 

Resources

Associated Press. (2019, April 29). University of alaska seeking people affected by data breach. Retrieved from https://www.usnews.com/news/best-statesalaska/articles/2019-04-29/university-of-alaska-seeking-people-affected-by-data-breach 

Dissent. (2019, April 27). University of alaska discovered a breach in february, 2018 that they are revealing now? Retrieved from https://www.databreaches.net/university-of-alaska-notice-of-data-breach/ 

E-Hacking News. (2019, April 29). Data breach at university of alaska exposes personal information of students online. Retrieved from https://www.ehackingnews.com/2019/09/data-breach-at-university-of-alaska.html 

Polk, L. (2019, May 31). University of alaska: Thousands affected by data breach, including names, social security numbers. Retrieved from https://www.ktuu.com/content/news/University-of-Alaska-thousands-affected-by-data-breach-including-social-security-information-425538543.html