Miel Cybersecurity Engineering and Architecture

Miel, LLC Cybersecurity Architecture, Design, and Engineering Cybersecurity architecture is a requirement in today's environment. If you don't address cybersecurity in your organization, there will be problems. Miel, LLC offers architecting and embedded systems hacking services provide proactive cybersecurity services to improve your defenses, so you aren't reactive. Miel, LLC Cybersecurity Architecture, Design, and Engineering 810-701-5511 charles.parker@mielcybersecurity.net

Showing posts with label SIEM. Show all posts

Sunday, August 11, 2019

San Diego USD Pwned Hard!

High schools are much like universities and colleges, in that these hold a mass amount of data which may easily be sold. This assists in making them more of a target. This coupled with their budgetary constraints makes InfoSec difficult at times, much like this recently especially was for the San Diego USD.

Attack

This compromise is a bit different than most of the others. The reports are the school district is not sure of the attack vector, however, they believe this was the effect of a relatively simple, yet effective, phishing attack. The attackers gained access through securing the authorized user’s credentials. For this case, the attackers gained and maintained their access for 11 months (January through November). This is odd. Seemingly, the school district’s SIEM would note the access from odd hours, the number of accesses being odd, the IP being unique to the other general log ins, and the amount of data being exfiltrated. This would be the case, unless the school district did not have one in place during the attack. The school district finally became aware of this in October 2018.

Data

Generally, data is the end goal for the attacker. With this, they are able to generate revenue through sales of the data, use this as leverage for the target, etc. Through the compromise and process, the attackers were able to exfiltrate a significant amount of data. This encompassed 10 years of data, from the 2008-2009 school year to 2019, when the attack was detected. There were approximately 500k of students and staff affected. In addition to the length the breach was open, and the number of years of data exfiltrated, there is also the depth of data per affected person. This includes the first name, last name, date of birth, mailing address, home address, telephone number, student enrollment information (schedule, discipline incident information, health information, schools of attendance, transfer information, legal notices on file attendance dates), social security number or state student number, emergency contact information, staff benefit information, and staff payroll and compensation data.

Notification

The notice for the affected parties was filed the Friday before Christmas in 2018. The breach would probably be one of the last things they would want to hear about just before the holiday. The post stated the school district had reason to believe their system was breached and the attackers may have accessed the data. This could not have been what the students and staff were hoping for as their Christmas gift!

Detection

With a phishing attack, the timing of the attack may be delayed based on the attacker’s code. The staff began to note emails that appeared to be odd. They naturally, and appropriately, reported these to their IT Department. As the next step should go, this was addressed by the IT Department as they recognized this really should not be happening. They ended up discovering the breach in October 2018.

The school district, once they knew of the breach, did not immediately shut down the attack. This does seem counter-intuitive. Once you know the attacker is in and exfiltrating a mass amount of data, seemingly prudence would dictate shutting down the attack vector. There was a rationale reason for this. The school district wanted not only to clear the access, but also identify the attacker and allow law enforcement to do their job. The did later reset the compromised accounts. From this point forward, they have been working to prevent unauthorized access.

Thoughts

The attacker had access for approximately 10 months. The SOC or in the least any SIEM they had in place should have noted some abnormal activity as the mass amount of data was being removed from their servers. Since the SIEM is automated, possibly the search parameters had not been put in place. This compromise emphasizes the need for phishing training for the staff. This should not be the once a year training where staff nod off while the canned presentation is playing. These need to be periodic (e.g. quarterly) and with current information. Without some form of connection, the staff will probably view this as yet another mandatory training session, and start working on other things instead of listening.

Resources

Allen, T. (2018, December 27). Notice of data breach. Retrieved from https://www.sandiegounified.org/sites/default/files_link/district/files/

Cimpanu, C. (2018, December 25). Hacker steals 10 years’ worth of data from san diego school district. Retrieved from https://www.zdnet.com/article/hacker-steals-10-years-worth-of-data-from-san-diego-school-district/

Lilly, P. (2018, December 26). Hacker exploits san diego school district school network, steals personal data on 500k students and staff. Retrieved from https://hothardware.com/news/hacker-exploits-san-diego-school-districts-network-steals-data

Malafronte, K. (2018, December 27). San diego USD hacked, 10 years’ worth of data stolen. Retrieved from https://www.campussafetymagazine.com/technology/san-diego-school-district-hacked/

San Diego Unified School District. (2018, December). Data safety. Retrieved from https://www.sandiegounified.org/datasafety

Security Woes Department. (2018, December 26). Hacker steals ten years’ worth of data from san diego school district. Retrieved from https://it.slashdot.org/story/18/12/26/1248222/hacker-steals-ten-years-worth-of-data-from-san-diego-school-district

Saturday, December 15, 2018

Woesnotgone Meadow; December 3, 2018

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth. A portion of the residents are very familiar with one aspect of internet usage-email. They use this mostly for family communications, share pictures, or just bugging one another. One area that has been a problem and continues to be is phishing, and not the kind by Margie’s pond, by the south side of her home. New York Oncology Hematology recently experienced this.

Phishing has become such a lucrative and easy attack method, it's no wonder its prevalence has skyrocketed. The methodology for the attack is relatively straightforward and is not an overly complex situation.

Attack
The phishing attack itself was launched and continued between April 20-27, 2018. The attackers sent their fraudulent emails with a link to be clicked on. Once the unfortunate user did this, the process of credential harvesting started. Of the mass number of emails sent, the attackers were successful with 14 users. Sometimes, all it takes is a handful of people clicking. The emails naturally appeared to be legitimate. The targets provided their username and passwords. The attack, clearly, was successful and compromised the system. The 14 email accounts were locked down once the issue was noted. The attack was detected and shut down. The triggering event was not published though. This could have been user detected, a user reported, or the enterprise (e.g. SIEM) detected this.

Affected Parties
There were 128,400 employees and patients affected by this. Overall, this did not affect the employees and patients who joined NYOH after April 27, 2018. As of November 2018, NYOH was not aware of any patient’s data being misused. These issues for the affected parties may not appear immediately, as the unauthorized parties with the data may choose to use this at their leisure. These may be used or sold without a time limit.

Remediation
NYOH contracted with a third party to conduct a forensic review. The report was delivered to NYOH on October 1, 2018. The report indicated one or more of the email accounts had PHI accessible to the attackers, and confidential and private health information was compromised to an unauthorized party. NYOH, due to the compromise, is offering the affected parties credit reporting services.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources
Daily Gazette Reporter. (2018, November 16). New york oncology hematology hit by email scam. Retrieved from https://dailygazette.com/article/2018/11/16/new-york-oncology-hematology-hit-by-email-scam

Dissent. (2018, November 17). New york oncology hematology notifying more than 128,400 employees and patients after phishing attack. Retrieved from https://www.databreaches.net/new-york-oncology-hematology-notifying-more-than-128400-employees-and-patients-after-phishing-attack/

New York Oncology Hematology. (2018). Phishing incident: What you need to know. Retrieved from https://newyorkoncology.com/security/

WGY News. (2018, November 17). New york oncology hematology reports data breach. Retrievd from https://wgy.iheart.com/content/2018-11-17-new-york-oncology-hematology-reports-data-breach/

Friday, November 23, 2018

PageUp Breach

PageUp is an Australian firm. Their business is a Human Resources software provider. PageUp has a global presence with 2M users across 190 countries. The vast number of these clients are corporate. These include Wesfarmers (Coles, Target, Kmart, and Officeworks), NAB, Telstra, Commonwealth Bank, Lindt, Aldi, Linfox, Reserve Bank of Australia, Australia Post, Medibank, ABC, Australian Red Cross, University of Tasmania, AGL, and Jetstar.

Attack
PageUp, unfortunately, was on the receiving end of a successful malware attack. This took the form of an unauthorized person gaining access to its system. The precise method or attack point has not been published yet.

Exfiltrated
The focus with this attack was not, in this case, encrypting their servers or destroying the data, as with ransomware or other malicious acts. Data acquisition was the end-goal. As noted, the attack was successful. The attackers were able to access their customer’s information. This was the data relating to the client’s personal data (i.e. names, street address, email address, telephone numbers, bank details, tax file numbers, diversity information, and emergency contact information), placement agencies, applicants, references, and own employees. The passwords may have been accessed, however per the company these were hashed.

Detection
For this attack to be successful, there was a significant amount of activity. PageUp detected what the company noted as “unusual” activity with its IT infrastructure in May 2018. PageUp began their forensic investigation on May 23, 2018. The detection took the form of malware being detected on its systems. Fortunately, the investigation confirmed this as the issue five days later. The business is working with the Australian Cyber Security Centre, several third-party cybersecurity firms, and the Australian Federal Police.

Remediation
This was a substantial issue. As noted, this was detected internally by their systems. Until this was resolved the business did not accept new apps. Due to the level of penetration into the business, a portion of the customers was still wary and treating the situation cautiously.

GDPR
Nearly every person is familiar with GDPR. This new set of laws in the EU is focused on the data security for the people in the EU and is rather far-reaching. This affects not only businesses in the EU, but anyone holding, managing, or processing any of this data.

PageUp has interests and works in the EU. The breach and compromise may be considered a violation of the GDPR. PageUp may possibly face a massive fine of up to 4%of their global turnover. The business is also dealing with other issues, including reputational problems, costs associated with the forensic work, and potential for a class action lawsuit.

Affected
The data exfiltrated was confidential and personal, and marketable by the attackers. The data and amount of data were great for a person’s seeking to perpetrate identity fraud. The affected clients have years of potential issues to deal with including monitoring their credit for fraudulent charges and accounts.

Resources
Bunker, G. (2018, June 11). What the pageup data breach means in a post-GDPR world. Retrieved from https://www.informationsecuritybuzz.com/expert-comments/what-the-pageup-data-breach/

Crozier, R. (2018, June 12). PageUp people all but confirms personal data ‘accessed’. Retrieved from https://www.itnews.com.au/news/pageup-people-all-butconfirms-personal-data-accessed-493481

Davies, A. (2018, June 7). PageUp data breach: Thousands of job seekers’ details potentially exposed. Retrieved from https://www.theguardian.com/technology/2018/jun/07/thousands-of-job-seekers-details-potentially-exposed-in-hack

Duerden, J. (2018, June 12). Blame pageup breach on security industry. Retrieved from https://www.theaustralian.com.au/business/technology/blame-pageup-breach-on-security-industry/news-story/

Duke, J. (2018, June 11). PageUp data breach: ABC, Asoki, Myer, Macquarie pull jobs pages. Retrieved from https://www.smh.com.au/business/companies/pageup-data-breach-abs-asaki-myer-macquerie-pull-jobs-pages-20180611-p4zktj.html

McLean, A. (2018, June 12). PageUp says it is ‘probable’ customer data was externally accessed. Retrieved from https://www.zdnet.com/article/pageup-says-it-is-probable-customer-data-was-externally-accessed/

Paganini, P. (2018, June 6). HR software firm pageup is the last victim of a data breach, the company has 2.6 million active users across over 190 countries. Retrieved from https://securityaffairs.co/wordpress/73242/data-breach/pageup-data-breach.html

PageUp. (2018, June 12). Unauthorized activity on IT system. Retrieved from https://www.pageuppeople.com/unauthorized-activity-on-it-system/