Wade Mackey

I often wonder how many companies could have avoided major security breaches if their companies did annual pen testing against their environment? I just found out that one of my favorite department stores had a security breach and they will not be held responsible if fraud activities were to appear on any of their customers accounts.

https://www.saksfifthavenue.com/include/aem/aem_static.jsp?page=security-information-notice&site_refer=EML

Tech industry completes its standards for banishing passwords
https://www.engadget.com/2014/12/09/fido-alliance-publishes-specs/

The FIDO Alliance (Google, Microsoft, PayPal, and others) have just published
a ‘password free’ standard that works with both single and two-factor authentication
and relies on the use of sign-in methods other than passwords, (e.g., some fingerprint
readers, USB dongles, etc.). It may take some time before it becomes accepted as a
practical alternative to using passwords because it doesn’t support existing authentication
mechanisms like Apple’s Touch ID fingerprint system or Bluetooth.

Apple Patent Points To Touch-Screen iMac

Another big data leak, this time from Delta. How are the security teams not scrambling at these orgs to find vulnerabilities and fix/patch them? It’s getting to the point where we as consumers don’t really have a choice when using some of these services, and yet we are the losers when companies are irresponsible.

Chinese hackers accused of targeting US defence firms linked to South China Sea
Cybersecurity group says companies were targeted for information that could prove useful for Beijing in disputed maritime waters

http://www.scmp.com/news/china/diplomacy-defence/article/2137496/chinese-hackers-accused-targeting-us-defence-firms

As support for the “is traditional spying/intelligence gathering obsolete?’ argument from the previous post – yet another example of state sponsored infiltration – in this case China. Apparently a state sponsored hack against civilian engineering and defense contracting companies that was specifically targeting information on how accurate current navigational equipment is with regard to geographic way-points in the South China Sea. The technique used seems to be a favorite for all spy’s – spear phishing.

What makes this article particularly interesting is that the US had a previous agreement with China that both countries would NOT target civilian’s or civilian organizations – so much for ‘agreements 🙂

Pretty cool – got Ettercap running just using VM’s and Kali!

I posted a 9 minute video (with the PDF of the slides) of an example of an Ettercap M-t-M attack running on Hyper-V VMs only. I don’t know if it’s because Hyper-V was used for the VMM or if it works on VMW/Virtualbox VMM’s as well (happy to send the Hyper-V .vhdx VM files that you can convert to VMW if you want).

The example just shows a router VM and a Windows8.1 VM with Kali VM running Ettercap on the same subnet. The example shows all ARP caches and MAC addresses as they should be. Then we turn on Ettercap, and watch a DHCP exchange between the Win8.1 and the DHCP server. Then we have Ettercap scan for hosts (the entire subnet). We turn on wireshark on the Win8.1 VM to watch its ARP cache being poisoned. We then turn on ARP Poisoning on Ettercap and look at the flood. We turn on TCPDUMP on the Kali/Ettercap VM and bring up a Yahoo session on the Windows8.1 VM (and watch the packets get dumped into the Kali VM).

Finally, we turn off Ettercap and go back to the Win8.1 VM to see how quickly the (previously poisoned) ARP cache gets restored back to normal.

https://www.dropbox.com/sh/myuz5kmq8llgogy/AABGN4yYKRJSn86dlkq4ziCXa?dl=0

Nice thanks for sharing, will try this.

FBI: Iranian Firm Stole Data In Massive Spear Phishing Campaign

FBI: IRANIAN FIRM STOLE DATA IN MASSIVE SPEAR PHISHING CAMPAIGN

I don’t often hear about the Iranians using cyberwarfare on the offensive. Usually its the Russians, Chinese or North Koreans or any number of others. I would like to talk to someone in the industry and see how they gauge the value of the property stolen, even if you get the blueprints to some engineering, what are the odds they have the capabilities to reproduce it? Still, not a good sign for US companies.

Here is a list of compromised data breaches 2017. This article discuss how debt card fraud is on the rise. Very interesting article.

https://www.cnbc.com/2018/03/06/protect-your-bank-accounts-from-rising-debit-card-fraud.html

https://thehackernews.com/2018/02/unlock-iphone-software.html

Cellbrite apparently found a way to unlock any phone currently in use, including the iPhone X. Interesting to note that they sell these services to law enforcement authorities. The FBI is still trying to drum up public support for disabling encryption…. even though they already have these backdoors!

Testing,.,,,

Seems to be working.

The WEP is rarely used nowadays.

Test post!

Testing

One of the top stories in the news Spectre and Meldown vulnerability. This vulnerability affects almost every operating system. Please see link for additional details about the vulnerability.

https://www.csoonline.com/article/3247868/vulnerabilities/spectre-and-meltdown-explained-what-they-are-how-they-work-whats-at-risk.html

Massive Malspam Campaign Targets Unpatched Systems

Surprise surprise, another Adobe Flash vulnerability is found. How long until this dinosaur dies?

Does anyone still have issues with NC ? I still have connection refused.

Works now…

http://www.marketwatch.com/story/equifax-auditors-are-on-the-hook-for-data-security-risk-controls-2017-10-02

My article talks about Equifax’s external auditor, E&Y, and how they failed to uncover the massive security holes that were exploited during the data breach. While E&Y’s primary responsibility is giving and independent opinion about Exquifax’s financial statements, these are increasingly tied to IT and the risks surrounding them. E&Y was aware of the SEC’s increased focus on cyber risks in the past and the SEC had asked Equifax to include a cyber risk disclosure in their financial statements. It is an interesting question, if external auditors should be held accountable for breaches at the companies they audit.

Two things:
1) I am still unable to start a thread- my UI is as follows https://pasteboard.co/GK6RXoN.png
2) For the presentation / summary, are we supposed to be writing this as if presenting to the company? Should we be talking about what we found, or how we found it?

Same here with 1) and 2) What is that UI and thread, please?

@Andres, thanks for sharing! I have a hard time following articles on reddit but it is a great source of information.

My article: http://thehackernews.com/2017/09/vevo-music-video-hacked.html

Hacker group OurMine hacked Vevo and then leaked the data. They call themselves white hackers, which I would disagree. Releasing data is something a malicious hacker group would do.

Pretty weird that “The group… removed the stolen information from its website on Vevo’s request.” Especially once you consider the fact that once it’s downloaded once, pulling it off their website doesn’t really do anything to stop the flow of info.

@Ian, good catch! And yeah very strange. You would think Vevo would know that..

One thing that I found very odd about the story as well is Vevo’s first response (or rather that of an employee) to OurMine’s initial contact informing them about the breach. It seems strange that someone who I would assume is in a position in the IT or security department would be so immediately dismissive of a message notifying them of a breach, Clearly, it was something worth looking into and should have been treated with more seriousness from the outset. This incident will definitely get them to reevaluate their IDS if nothing else.

http://time.com/4946576/ccleaner-malware-hack/

CCleaner, a tool used by many too delete unnecessary filed on their Windows computer and keep it running smoothly, was infiltrated with malware. Piriform, the company that developed CCleaner says they noticed an unknown IP address receiving data from the software on September 12th. They have patched the issue so users need to update CCleaner as soon as possible. The paid version of CCleaner has automatic updates but the free version does not so free version users are most at risk currently. The do not know who perpetrated the attack or when they got in but do know the server the data was being sent to is in the US.

That is definitely unfortunate for users of the free version if they don’t follow this kind of news. They could potentially go weeks or months without realizing that there is compromised software on their device. Companies should consider implementing some sort of notification system to communicate with all users of their product in the event of incidents like these. to help ensure patches will be downloaded. I think that would be a good step towards mitigating the security risk posed by these kind of issues.

http://www.technewsworld.com/story/84798.html

Russia, Fake News and Facebook: 24/7 Manipulation

This article talks about the following: Foreign countries manipulating citizens by pushing out fake news in social media, both the sides left and right are ignoring facts and instead pushing out fake as long as it benefits them, Facebook discovered a Russian connection where they spend 100k on the last election to push fake news out, and finally we are so focus on our argument dominating that we lose track of what the real problem is, foreign countries are using social media as a method to hack and manipulate our elections and benefit them without even needing to hack our systems.

It will be interesting to see how things unfold in the future. Will social media (fake news) be a bigger threat to U.S then the hacking of system? What will companies like Facebook do to prevent foreign countries from continued to spread fake news that benefits them? Will the government regulate the social media industry?

Andres – I found the last article you posted “https://imgur.com/gallery/rNlQJuT” very interesting. It provides a lot of additional google hacking methods that can be used in the future. It would be great if there was a site that has all the available search operators? It will be great, if anyone knows a site that contains all the available search operators and can share it with everyone.

Amanda – Very interesting article. I read up some more on this article and found out that hackers were able to singe the malicious installation executable (v5.33) using a valid digital signature issued to Priform by Symantec. The hackers also used DGA (Domain Generation Algorithm) so if the server went down they could use DGA to generate new domain to receive and send stolen information. Also, even though the CCleanre company is claiming the new version will fix all the issue, it is recommended to perform a deep clean. Again, great article Amanda.

Thank you Amanda for sharing this article with us. It’s very important to understand this issue since a large of people use CCleaner and most of the versions that are used are free. The biggest question in my opinion would be: Why this is happing? Is it to hack the other people data or the company Piriform itself does hacking the software to make people buy the paid version which is the patched one?

In my opinion, the company can be responsible for this unknown IP address for two reasons:
1- Make people buy the paid version.
2- Make people aware of there is a risk of hacking data from their computers and the only safe way to use Ccleaner to clean them.

Donald,

In my opinion, there is a brain hacking as well as computer hacking. In other words, for so many years Media including social media played a role to brain wash people and address certain ideas to the goal of making a party fail or help a politician to success.

Your article talks about Russia but I can guarantee you that so many governments of other countries do as well. There are articles talk how the biggest Media network “Aljazeera” for example played a big role to change the leaderships in many countries during the Spring Arab.

good article but i seem to think we have so much personal information on our devices. We should worry about securing them . Apple as a vendor has to continue to re-invent their products. Past apple iphones had finger recognition and now moving to facial. The more things you had to a device the more chances of security issues and compromising personal information.

In the News
A term I heard this year at the RSA conference in San Francisco was “Cyber Malpractice”. The speaker stated companies that do not put controls in place to prevent cyber attacks are committing cyber malpractice and their customer’s should hold them accountable if their data is compromised.

A judge ruled this week that did suffer an injury that was traceable to a breach. The case is allowed to move forward to a class action lawsuit. The outcome of the lawsuit will impact the future of cyber malpractice and organization’s due diligence responsibilities.

https://www.darkreading.com/application-security/judge-rules-that-yahoo-breach-victims-can-sue-/d/d-id/1329798?

Christie,

You raise an interesting issue in light of the news regarding Equifax.

https://www.bloomberg.com/news/articles/2017-09-08/equifax-sued-over-massive-hack-in-multibillion-dollar-lawsuit

I’ll be interested to see what punishment (if any) Equifax and its management face.

I read the full news on this today and there is a website they setup if you want to see if you are affected by this hack or not. http://www.msn.com/en-us/news/technology/massive-equifax-data-breach-may-impact-half-of-us-population/ar-AArtE40?li=AA4Zoy&ocid=ientp – they have the link to it. Since Equifax is one of the largest firms out there for credit monitoring, it’s better to find out now whether you’re hit or not.

I came across this article on my friend’s LinkedIn page when I asked him about some techniques to try and learn. He mentioned BitCoin, Blockchain and cryptocurrency. We were talking about investing in to some BitCoin and I looked up blockchain. This article is pretty straightforward and explains it in simple English which is nice. Apply security to it and other technology behind it and blockchain could be useful. https://www.linkedin.com/pulse/blockchain-absolute-beginners-mohit-mamoria

And I’m just gonna reply to myself here because I failed to finish my point- the whole idea of entering the last SIX on a website is bonkers. Prior to 2011, your Social Security was formed XXX-YY-ZZZZ. XXX is based on where you were born, YY is based on WHEN you were born, and ZZZZ was assigned in ascending order. This means that really, your last four are the only unique parts of your Social. If you know where someone was born and you know their last six, you now know their entire social. If anyone accessed this website and had a keylogger, their social (which may not have been compromised before) would now be compromised.

The actual site has two open ports- 80 and 443, corresponding to HTTP and HTTPS. I don’t have anything ancient enough that I can actually force an HTTP connection, but I’ll try in the next few days to see if the info entered goes out in plaintext.

i dont care about those things very much. i read them as news. I more care about something more technical and specific like how to write simple tool to scan port and something more advanced. I guess i am not welcome here 😀

My new article is about Facebook slapped with $1.43 million fine for violating user’s private information and data in Spain. According to the article, it describes that the Spanish Data Protection Agency (AEPD) has issued $1.43 million penalties against Facebook for breaching laws designed to protect its people’s information and confidentiality. Also, it describes that Facebook collects its user’s data without their permission and makes the profit by sharing the data with advertisers and marketers.

http://thehackernews.com/2017/09/facebook-privacy.html

My article is about how security researcher, Mark Barnes, was able to find a vulnerability in the Amazon Echo models 2015/2016. Barnes was able to gain root access with the diagnostic pads that were on the bottom of the devices and installed his own software to create a man in the middle with the user and Amazon. The software that was installed was able to use the microphones and relay the audio file to Barne’s laptop. There is a possibility that all refurbished or secondhand Echo’s that were sold were compromised.

Article: https://www.forbes.com/sites/jaymcgregor/2017/09/07/listening-in-on-a-hacked-amazon-echo-is-terrifying/#533eca5e5c7f

@Fraser, I work full time for the DoD and this is actually the first I’m hearing about login.gov. Given how terrible and opaque some government processes I’ve had to go through have been, there’s definitely a lot of room for improvement. Getting my security clearance, for example, took about a year, three application submissions, and I never knew if I was a day, a month, or a year away from being accepted. I was still able to work in the meantime, so this fog didn’t affect me too much. I’d hate to be facing the same unknowns while waiting to immigrate

This article is about a new ransomware attack that unleashed 23 million emails in 24 hours. This ransomware attack is a new variant to the original Locky ransomware that encrypts a wide variety of files on an infected computer and on other computers on the same network. The email being sent out is very simple as the body says “download it here” including a bogus sender name. The subject line is chosen from a minimal list of words such as pictures, documents, scans and once the attachment is open their files are encrypted and a payment is demanded to unencrypt the files. The current demand is .5 bitcoin which is just over 2300 dollars. With the scale of emails sent out with ransomware in them, it only takes a small amount of people to click on the link and also pay the ransom. Whoever initiated the ransomware attacks can make a couple of million of dollars on a low success rate.

https://www.forbes.com/sites/leemathews/2017/08/31/massive-ransomware-attack-unleashes-23-million-emails-in-24-hours/#676ce9f0394b

Really interesting article and the exec’s sold their shares a day after the breached happened?
You would think that a company that store PII for over 100 million people, would have all the security measures in place. Does Equifax have to comply with any standards and/or regulation? I would think these types of companies should be audited by the government.

http://www.zdnet.com/article/critical-security-bug-threatens-fortune-100-companies/

The article I found discusses a vulnerability in applications using the REST plugin, built with Apache Struts. A research found the vulnerability and Apache released a full patch on 9/5/17. The researchers involved say there is no way to test if a system is vulnerable without exploiting the vulnerability. Exploiting this vulnerability only requires a web browser and allows someone to gain access to the server the application is on, which would then allow them to download or delete data. They believe as many as 65% of fortune 500 companies are affected, as well as many government agencies. They fear there is no way to notify vulnerable organizations other than releasing how the vulnerability works and companies figuring out they need to patch their systems.

The number of affected organizations may seem high but I don’t doubt that this many companies would be affected. Working in IT Audit I think every organization I’ve seen uses Apache in some way.

This was also my first thought when I saw the Equifax page to know if you were hit. I would like to know but I’m not about to enter even more information on a website run by a company that I /know/ has bad security and controls. There has to be a better way for them to set this up to know if you were hit without having to trust a company that has already failed so massively.

According to the this article a security researcher discovered that D-Link DIR 850 L Wireless Ac1200 dual-band cloud routers are vulnerable to 10 security issues.

http://thehackernews.com/2017/09/d-link-router-hacking.html

http://www.technewsworld.com/story/84794.html

US Elections: Open Source vs Commercial Software

This article talks about the following: San Francisco becoming the first US city to adopt open source software for voting machines, Open source software being widely accepted in other areas, Open source software benefits of bringing cost down, increased security and transparence, and the drawbacks of Open source software. It will be interesting to see how things unfold with the current plan to implement open sources software for voting machines. Will it be secure? Will people have confidence in the process? Will it reduce cost?

Thankfully the vulnerability is confined to the REST plugin, which must be specifically applied, so the issue isn’t as widespread as simply having Apache. That said, it’s still extremely prevalent, and often very hard to detect without knowing the application architecture. From personal experience, it is a pain to track down developers who know this info.

http://www.technewsworld.com/story/84790.html

Global Cyberattack on Energy Sector Stokes Deep Fears

This article talks about the following: Hacker group known as “Dragonfly” has deployed sophisticated attacks on the energy sectors of Europe and North America, Attacks on energy sector is complex but if they do decide to attack it could lead to significant disruption, Researches have not yet determined the motive behind the attacks, Attackers used simple tools to attack the energy sector, and finally the Energy sectors is focusing in countering the attacks. It will be interesting to see how things unfold, as the attackers have not caused any damage yet. How is the energy sector going to cope with the attacks? Will they be able to eliminate or mitigate the risk?

http://www.technewsworld.com/story/84728.html

Cry Hero Arrested on Kronos Malware Charges

This article talks about the following: U.S authorities arrested a British cyber-researcher credited with stopping the spread of the WannaCry ransomware, British cyber-researcher developed the “Kronos” malware prior to stopping the spread of WannaCry, and finally the British cyber-researcher is awaiting trial. It will be interesting to see how things trail unfolds.

Joseph – Interesting article, this cyberattack was not sophisticated but instead a wholesale attack, hopping that people will fall for it. It’s amazing the amount of people that were affected by the ransomware in such short period. I wonder if there were any organizations that were affected by the ransomware. If yes, was that due to lack of controls in place? Also, how they coped with the attack?

I think blockchain is definitely something that is going to become more and more important as online currencies become more prevalent into the future. It definitely gives the user (us) more control and assurance of our own transactions instead of relying solely on third parties (as explained in the article). You made a good point that it will need more security measures and processes attached to it before it can become completely viable to large scale transactions.

Some companies are accepting bitcoin as currency now and Lamborghini is one of them. The best part of this article is that it breaks it down in simple English and anyone who doesn’t know technology can work with someone who does which is very good.

https://thehackernews.com/2017/10/bad-rabbit-ransomware-attack.html

This is the latest in terms of ransomware that has started to make an impact on the world. This could be something a lot more severe than what we are used to seeing with the current ransomware scams. All should be alert with this one because this could potentially be severe.

Very interesting post Fred,
This kind of news became very normal lately, but this time is surprising because a this is a very important because it’s one of the largest companies that run our sensitive data. It’s very scary to see a company like Equifax doesn’t invert on securing our data and protect us. They were trusted to have all these information to run our credit reports and they were careless about the security part.
It’s very scary because our sensitive information is everywhere by now

Richard,

I think this will be an issue for those who use a second hand Echo device. I think that some of those Echo devices can be having a modified software which can harm our private lives. Again, The people have to start to new devices especially those are containing software.

Very interesting topic Richard, thank you.

Neil,
I know I am posting this a few months after your comment, so many organizations and even countries don’t allow the Bitcoin currency to be used. There are so many inconveniences with this currency.

22-Year-Old Hacker Pleads Guilty to 2014 Yahoo Hack, Admits Helping Russian Intelligence

Karim Baratov, a 22-year-old Kazakhstan-borm Canadian citizen has pleaded guilty to hacking charges over his involvement massive 2014 Yahoo data breach that affected over three billion Yahoo accounts.
In March, the US Justice Department charged two Russians which are Dmitry Dokuchaev and Igor Sushichim and two other hackers which are Alexsey Belan and Karim Baratov for breaking Yahoo servers in 2014.
Karim was arrested in Toronto at his Ancaster home by the Toronto Police Department in March this year, the other three suspects are still in Russia, unlikely to be extradited.
Last Tuesday, Baratov admitted to helping the Russian spies and pleaded guilty to a total of nine counts in San Francisco as following:
– One count of conspiring to violate the computer Fraud and abuse Act by stealing information from protected computers and causing damage to protected computers.
– Eight counts of aggravated identity theft.
Besides any prison sentence, Baratov has also agreed to pay compensation to the Yahoo victims and a fine up to $2,250,000 (at $250,000 per count).

https://thehackernews.com/2017/11/yahoo-email-hacker.html/

great article. I think now cities or townships are more aware of security breaches after the last presidential election. When you look at how much San Francisco paid their vendor. It only makes sense to do open source software – and save a lot of money. That money used can be used to further secure an open source software. How secure will it be is what remains to be seen.

agree this was not sphisticated but more about quantity and not quality. In sales – as now in security such as ransomware emails, sometimes the more you attempt the more chances you have. This was 23 million emails so even 1% success rate has significant damage.

I’m going to reference the definition for hacking you brought up in class:

“A hacker explores the difference between how something is supposed to work and how it really works.”

The scammer exploited a lack of, or weak, controls surrounding the vendor payment process. The threat was there (scammer). The vulnerability was there (weak controls). The probability, or risk, of this vulnerability being exploited was certainly there.

To me, hacking isn’t always sitting in front of a laptop and using the command line to exploit things. In this case, I’m sure the university thought that, “Our vendor payment process is supposed to work like this.” The scammer showed them how it actually worked.

In my opinion, I believe that hacking isn’t always used the computer to steal information or use the command line to exploit things. As professor mention in class, a hacker can simply use a cell phone to do hacking and steal your money. In this case, I do believe that it’s a hacker issue. Although it didn’t get involved with the hacker, there are IT control, and bank information breach which causes the hacker can easily make the university send the money. The vulnerability (IT control risk and bank breach) is the issue that increases the risk for both bank and university.

By definition, this was a successful phishing attack. But for the writer to say “this is not technically hacking.” is not an accurate statement.. I think the whole objective of hacking and/or phishing is to gain access to something (money and/or PII, etc.) that does not belong to them. Even though the methodologies of hacking and phishing are different the outcome is still the same. The hacker(s) gained “something” that did not rightfully belong to them

I think I initially posted my comment in the wrong section…

By definition, this was a successful phishing attack. But for the writer to say “this is not technically hacking.” is not an accurate statement.. I think the whole objective of hacking and/or phishing is to gain access to something (money and/or PII, etc.) that does not belong to them. Even though the methodologies of hacking and phishing are different the outcome is still the same. The hacker(s) gained “something” that did not rightfully belong to them

I placed my comment in the wrong section.

By definition, this was a successful phishing attack. But for the writer to say “this is not technically hacking.” is not an accurate statement.. I think the whole objective of hacking and/or phishing is to gain access to something (money and/or PII, etc.) that does not belong to them. Even though the methodologies of hacking and phishing are different the outcome is still the same. The hacker(s) gained “something” that did not rightfully belong to them.

In my option, it does seem to me like it is hacking. If we use the definition that we were given in class that hacking is looking at how a system works and manipulating it and making it work different then a lot of things that we think are not hacking is hacking. A user goes to a website and thing it works a specific way. However, since the developer changed it to me malicious they changed the perceived way that it works. This is me is hacking even though it is not hacking in the Hollywood sense of a guy behind a desk running a bunch of scripts gaining access. They are still for exampling using social engineering to gain trust and then from that trust extorting it for personal gain.

my philosophy is very simple. i dont care. If it happened, something wrong. Go fix problems. It’s a lesson. From now on, we know we must be ready to counter attack. Mistake wont happen again. Past is the past.

This attack wasn’t a “technical” hack, however I still would consider it a hack. When most readers think of a hacker they’re picturing a guy with a laptop and ski mask tapping away furiously at some command line looking console with an ACSII skull popping up after execution.
This is not that kind of hack.
A hack, especially as defined in class , involves manipulating or bending a system use against the way it was intended. Here, the university didn’t even have controls in place to prevent this situation from happening. It allowed the attacker to manipulate a gaping hole in the financial transaction process allowing them to do away with millions of dollars. Social engineering a form of a hack, hacking humans or inter-personal interactions.

The technique used to modify account to divert the money here is a form of hacking to me. Phising, scam, social enginering or whatever it called, the purpose is the same. To gain unauthorise access to manipulate /change the original information.
The University should have implemented better access control, or authorization procedure or policies I think.

I believe that this is considered as a hack. Although it might not be considered as a hack in the technical sense of using software and computers to break into systems, it is a form of attack by exploiting or social engineering. According to the report, “controls around the process of changing vendor banking information were inadequate.” With phishing attacks, it could be considered as a social engineering attack by being able to convince the targeted staff to transfer the funds. The scammer exploited the universities lack of policy and the victim’s awareness of information security.

I do not think this incident was the result of a hack. Instead it was a phishing attack using social engineering to commit fraud.

A hacker explores the differences of how something is designed to work and how it can work. A hack is us using a computer system to gain unauthorized access to a system.

A hacker committed the attack but did not gain access to the university’s computer systems. They sent an email and employees of the university changed payment accounts.

This is a perfect example where technology cannot solve all cyber security problems. Processes that consider checks and balances is critical to prevent cyber attacks.

Amanda,

I understand your frustration. As an auditor, I strongly believe changes should go through the proper channels to mitigate the risk of fraud. However… As you mention, the person you are speaking to is frustrated with the time it takes to get their job done.

The best thing is the proper balance. Imagine this… If an organization has a four tier change management approval process, the time it takes to get the four signatures could cause the change to become irrelevant or possibly obsolete. This process is something the banking industry is going through and the healthcare industry has been dealing with for years.

Now, the changing of a vendors account number may only be a Medium impact on the organization vs. upgrading an MRI machine with a High impact, but my point is the auditors job may also be an arbitrator between corporate policy and employee satisfaction.

I believe this is a huge scam because phishing is usually done via emails, messages, and or phone calls when a perpetrator is trying to steal money, However hacking is when there is unauthorized intrusion into a computer or a network.

I totally agree with your statement, phishing should be considered hacking. The only difference is the method used to obtain the information. However, I do not agree with the statement phishing is considered an authorized method. I believe the difference between the two methods is the following: phishing – is voluntary, hacking is involuntary.

Great post, Fred!

I find your post very informative especially for someone like me that does not have a IT Audit background. You provided a thorough analysis of the case and was able to suggest few areas where the company could have improved their policies. Great post again very informative to see someone else point of view from a different background.

https://thejournal.com/articles/2017/09/19/users-getting-better-at-identifying-phishing-attacks.aspx

End Users Getting Better at Identifying Phishing Attacks
This article talks about the following: according to data from Wombat Security Technologies users are getting better at recognizing phishing attacks, users performed better this year on questions around phishing attacks, answering incorrectly only 24 percent of the time compared to 28 percent in 2016, there is year over year results that reinforcement and practice are critical to learning retention, as with any skill organization need to work on cybersecurity awareness and knowledge to see continual improvements.

It will be interesting to see how things unfold in the future. Will companies continue to reinforce the importance of cybersecurity threats? Will companies increase awareness and train employees on the subject of cybersecurity threats and more specific phishing attacks?

I would have to say that this is indeed a successful hack in the sense that they were able to use both social engineering and phishing attacks in order to get the information they need to get all of the funds transferred to their accounts This wasn’t a simple thing to do and took a well coordinated attack on a major system to get what all they needed accomplished.

This is definitely a hack and the author is wrong. based on what we leraned in class this was a phishing attacks. It does not matter if its phishing, social engineering, web services injects: these all have the same principal or desired outcome. That outcome is to hack in some form only one is direct harm and the other is disquised.