According to ABC, Wawa had a security breach happen between March 4, 2019 & December 12 of 2019 by a malware. Since a lot of customer’s personal information has been leaked, Wawa is paying $9 million in cash and gift cards to those who are affected. Human beings who are affected by the security breach can file a claim form until November 29th of 2021. The malware that affected Wawa, was potentially at the gas pumps and inside the store.
There are 3 tires for the human beings affected:
Tier 1- People who used their card during March 4, 2019 & December 12 of 2019 but was not affected, can receive a $5 Wawa Gift Card
Tier 2- Those who are affected and can provide proof of attempted/actual fraud after the transaction, receives a $15 Wawa Gift Card.
Tier 3- Customers who lost money with the documentary proof can get reimburse up to $500.
Israeli spyware firm targeted Apple devices via iMessage, researchers say
Citizen Lab, a Canadian software research company, recently discovered a vulnerability within iPhones which has been linked to an Israeli company, NSO Group, for spyware purposes. Dubbed FORCEDENTRY, this zero-day vulnerability manipulated Apple iMessage technology to send corrupted files via SMS that appeared as gifs, but actually turned out to be Adobe PDFs containing malware. Citizen Labs believe that NSO Group has been using the FORCEDENTRY vulnerability in granting their clients spyware capabilities, through their Pegasus software program. Pegasus can silently hack into a phone, collect PII, intercept calls, amongst other violations of privacy. Although the names of NSO Group clients have not been disclosed, the recent Pegasus Project publication revealed spyware connections that targeted journalists and human rights activists globally. NSO Group claims that their services are only granted to government/law enforcement agencies, however. Citizen Labs was able to link FORCEDENTRY to NSO Group explicitly, due to the unique nature of the vulnerability which had only ever been associated with NSO Group in the past. Apple remediated the vulnerability within hours through a rapid patch.
An interesting quote form this article is from the engineer at Citizen Lab who first discovered the exploit: “ As presently engineered, many chat apps have become an irresistible soft target. Without intense engineering focus, we believe that they will continue to be heavily targeted, and successfully exploited”. Millions of people use iMessage, or any chat platform, proving virtual messaging to be a soft target and overall susceptible asset. Vulnerabilities like FORCEDENTRY demonstrate how critical it is to patch/update personal technology, and protect the civilian population from exploits on the daily.
“The Zero-Trust Approach to Managing Cyber Risk Explained”
Published 9/14 @ 5:30AM in WSJ
Written by David Uberti
The article that i chose to summarize this week discussed what is being called the “zero-trust approach” to managing cybersecurity. It is already implemented by many government agencies and large companies, but is being pushed on all entities over time due to the interconnectivity of the internet.
The zero-trust treats an user, device, or app as a potential threat. Users need verification of identity and ability to access most or all data, instead of just one perimeter defense.
It also involves cataloging all devices, using MFA or biometric authentication, monitoring connections in real time, better access controls, better policies with old technology, and more isolation of different departments/networks.
Biden released an executive order requiring all government entities to have the above listed defenses by September 2024. This policy was strongly influenced by the recent Solarwinds hack, in which 9 federal agencies and dozens of US businesses were breached.
Theresa Payton, White House CIO under George Bush, says that the zero-trust approach will be like a “lifestyle change”, due to the fact that it will take a l0ng time. It will also cost a lot of money to upgrade and replace older systems.
I really like the concept of zero trust and think it will help address many of the issues facing companies today. That said, I struggle with the costs of implementing this as alluded to in the quote below.
“CISA warned that the effort could require many agencies to rebuild or replace much of their existing information-technology infrastructure.”
I am curious about how effective partial zero trust would be given that some companies may opt not to replace some of their infrastructure and accept the risks.
“Fitbit, Apple user data exposed in breach impacting 61M fitness tracker records”
This past June, a non-password protected database that is connected with fitness tracking exposed records of fitness users through their tracking app devices. The unsecured data came from GetHealth, a New York based company that provides health and wellness data from apps and wearable devices. Security researchers discovered over 61 million records from all over the world that were affected contained names, date of birth, weight, height, gender, and geo-location of users. Even though the information did not contain extremely sensitive information such as social security numbers or credit cards, “all data are valuable, and could be used to carry out other attacks, to commit fraud or extortion or obtain more targeted health information.” Fortunately, the system was secured due to GetHealth’s quick response after security researcher notified them of the security findings.
Large companies should pay more attention to maintaining user privacy, such as the user’s name and geographic location. Protecting customer privacy is within the scope of the company’s services, because applications and health data of wearable devices are at risk of information leakage. Companies such as Apple should strengthen data security management to avoid huge losses caused by data leakage.
“Cyber-crime: Irish government briefed by cyber security authorities”
The news described Ireland’s healthcare system in Ireland as the target of cybercriminal attacks twice, and it has been called the largest attack in the history of the state of Ireland.
Although the Irish government has stated that it will ensure the restoration of medical services as soon as possible, it will not spend any money to restore data. In terms of this measure, I think the Irish government may need to spend more attention on maintaining the stable operation of the website.
On September 15, 2021, Microsoft announced that it intends to let users remove passwords from their Microsoft accounts and go password-free. Microsoft said users would remove passwords from their consumer accounts and choose alternative authentication options, such as security keys. Authentication codes sent via email or SMS—Windows Hello biometric system. or the Microsoft Authenticator mobile app. In a blog post announcing the initiative today, Vasu Jakkal, corporate vice president of security, compliance, identity, and management at Microsoft, said Microsoft is currently seeing up to 579 password attacks per second, or 18 billion per year. Jakkal blamed the situation on today’s authentication challenges. Users have difficulty remembering account passwords and often choose to reuse the same passwords for multiple accounts or use simple passwords – which are accessible for attackers to guess.
I think this is a very important development that is not getting enough attention. Passwords and their management is the bane of many users’ existence! The requirement that passwords be ever more complex and difficult to remember has driven re-use which subverts the desire to have more security. Add in the requirement that users need to change passwords regularly and it leads to a horrible (and not necessarily more secure) user experience!! The fact that someone as big and influential as Microsoft is willing to take this step for their online services will potentially be game changing for all of us!
This article details that shadow IT and misconfigured APIs accounted for two-thirds of cloud breaches in the past year.
Over half the breaches came about as a result of shadow IT. Shadow IT is when systems are spun up without being subject to corporate security policy – therefore lacking vulnerability and risk assessments and hardened security protocols.
Two-thirds of the incidents detailed improperly configured APIs, for example an API that provides access to sensitive information, but not having any authentication controls for the API itself, allowing anyone to access that information.
This was pretty surprising to me, as it seems like a vast majority of these breaches could have been prevented by following standard security protocols. However, this does reinforce the fact that human error/negligence is the primary source of failure when it comes to loss.
Shadow IT can be a frustrating occurrence. I’ve seen this in my work with people spinning up cloud applications without the proper diligence. It’s a balance when restricting these services as the intentions of the employee are often good, i.e. they want to increase productivity, but they don’t have the security awareness to implement this correctly.
In this article from Dark Reading, brute-force attacks remain one of the primary cyber attacks. Password attacks even increased in frequency in 2019 as a result of the transition to work from home. Even though there was a media frenzy surrounding large-scale disclosed vulnerabilities such as the recent Exchange vulnerabilities, brute-force attacks are the path of least resistance for attackers. This is partly because many users have poor password management and even reuse passwords. As it relates to our reading this week, providing your users’ security awareness training such as using password managers or MFA can be a low-cost security solution that can yield significant returns. As quoted in the article, you do not always need expensive security solutions or complex security controls. Instead, implementing security basics such as MFA or a robust password policy can minimize your attack surface.
This is interesting that brute attacks continue to be a top vector. I was recently talking with a coworker about the changes to https://pages.nist.gov/800-63-3/sp800-63b.html#appA as it relates to passwords. I think the application of password blacklists may have the best ROI. Users can be creatures of habit and select common, easy to guess combinations. This coupled with a strong compromised credential detection should reduce the effectiveness of brute force attacks in the future.
Virginia Beach woman gets 12 years in prison for massive coupon scam
Based on the article, a huge counterfeit coupon scheme damaged consumers, retailers and manufactures nationwide, and a $31.8 million loss occurred due to phony discounts created by Lori Ann Talens. She ran this scheme from April 2017 to May 2020, and pleaded guilty to all types of fraud such as mail fraud, wire fraud and health care fraud, along with her husband who supported her in the scam.
Lori Ann had excellent knowledge of how point of sale systems operated, so she used her knowledge to create counterfeit coupons, and by using social media she made fake vouchers that were virtually blurry from authentic coupons. She and her husband used Facebook and Telegram to find groups of coupon fanatics and sold them counterfeit coupons.
The biggest victims of the scam included makers and sellers of paper products, household products, Unilever and cleaning product companies. Manufacturers and retailers are now developing new technologies to weed out fake coupons, and trying to prevent future scams such as these from happening.
Given that we’re discussing the Target Breach this week, I thought it would be relevant to discuss the concept of “breach fatigue.” I wonder if this was a contributing factor to Target’s security team ignoring the alerts prior to the breach.
The seemingly constant onslaught of breaches in the news, coupled with companies internal alerts and investigations, fatigues security teams and CISOs. It’s important for organizations to effectively define and manage cyber risk so that they can prioritize responses in accordance with business goals. Failure to do this can lead to breach fatigue where it seems that everything is a priority and the security team’s effectiveness is reduced because everything warrants the same response.
The article outlines a few recommendations for CISOs and their security teams to manage fatigue. Appropriate and meaningful alerts must be configured for organizations in alignment with the business risks associated with the technology. Teams should not get caught up in the news cycle of cyber events and focus on the priorities defined by the business. When an incident does occur, a well crafted response plan, with clear customer communications is critical. Organizations must be willing to change in response to incidents and stave off complacency. The feeling of breach inevitability must inspire teams to define risks, prepare responses, and learn from the past, instead of succumbing to the paralysis of breach fatigue.
As many may have heard of the Open Web App Security Project, or OWASP, this article discusses an interesting topic in security lately: OWASP has just released its 2021 draft of its famous annual top 10 most common web application vulnerabilities. The list is published in an effort to assist in securing web applications, with major emphasis on the design stage. It provides reasons why the CWEs, or common weakness enumerations, exist, as well as techniques to implement to combat these weaknesses. Each year, the list is compiled through extensive research on a massive number of web applications, and the changes that occur from year to year are interesting to observe as they provide insight on how security architecture is changing as well as how the most common methods to exploit the major vulnerabilities vary.
This year, as the article points out, the number one vulnerability is broken access controls, with an astounding 34 CWEs mapped to it. This is especially interesting because broken access controls has slowly crept up the list over the past few years, being number 5 in 2017. Two new vulnerabilities were also added to the list this year: “insecure design” and “software and data integrity failures,” easily relatable to our discussions on integrity throughout the class regarding CIA.
While the article is brief, it contains very relevant information to security professionals. The second biggest vulnerability this year is cryptographic failures. As examples, it cites “hard-coded passwords” and generally bad and insecure practice like the lack of salting or hashing passwords, and “not enforcing TLS,” meaning that there is high possibility/probability of an insecure session and data request to a server during login such that a traffic sniffer may be able to see the user credentials in cleartext.
China’s Personal Information Protection Law (PIPL) is becoming effective November 2021. This law implements GDPR-like restrictions. It has 4 main goals:
Protect the rights and interests of individuals
Regulate personal information processing activities
Safeguard the lawful and “orderly flow” of data
Facilitate reasonable use of personal information
Where the PIPL differentiates itself from the GDPR and CCPA is it’s secondary focus on national security. All companies doing business in China or processing the data of Chinese citizens will need to comply with the PIPL.
How companies will be able to comply with the law is still uncertain. This is because certain portions of the law still need to be written by certain regulatory bodies.
There is also concern that this new law will inhibit a company’s visibility into whether they are OFAC compliant. OFAC screening typically involves exporting customer data and comparing it to a prohibited party list. However, the PIPL will limit our ability to export this data and will also increase the privacy rights of Chinese citizens.
Apple Issues Emergency Fix for NSO Zero-Click Zero Day
Over the past couple days, Apple has issued statements asking their product users to update their devices immediately. This update included the installation of an emergency security patch for a zero-click exploit which can infect a device without any human interaction. The reason behind this exploit is believed to be to spy on Bahraini activists. The phones of 9 Bahraini activists were found to be breached and the vulnerable spot was found to be a structural improvement introduced by Apple called BlastDoor. BlastDoor was meant to prevent these types of attacks but was not successful.
This article is about a data breach that happened on Aug 16th at New York University exposing 47,000 citizens. They are not sure whether the breach affected students or employees but The Research Foundation for the State University of New York (SUNY) announced it detected unauthorized access to its networks earlier this year.
The incident was discovered on July 14, and reportedly involved Social Security numbers.
I discovered this article about how the Italian mafia was participating in an operation that were stealing money via phishing, social engineering, and sim swapping. The mafia mainly extracted the money after hijacking individuals bank accounts. Afterwards the money was laundered and stored in shell companies. This operation resulted in about $11.7 million dollars profit before it was broken up by police. I found this article very interesting due to the idea that even the traditional mafia/gang groups are employing cyber criminals and as a result a lot of their income is transitioning to being acquired through these nefarious methods.
Critical infrastructure is once again under attack by cybercriminals. NEW, an Iowa-based farm service provider turned their system off to contain the cyber incident. It seems as though the cybercriminal group blackmatter conducted a ransomware attack and has stolen NEW’s data. NEW operates grain storage elevators, they buy crops from farmers, sell fertilizer and other chemicals that may be necessary to grow crops. Given these services, NEW is an important player in the agricultural industry, and downtime of their systems is impactful to their customers as this is the time of year where farmers will start delivering crops to NEW’s elevators.
This weeks case study had me interested on how Equifax got hacked. Given that they are responsible for protecting sensitive information of millions of citizens, it would be ideal for it to be secure. The article encompassed the strategies used by the 4 Chinese hackers as they took advantage of the announcement made by Apache regarding the vulnerabilities within its web applications. It was very quick on how they acted to hack Equifax as the announcement was made on March and later on in May the team of 4 had used SQL scripts to get a select sample of records from Equifax database. They then uploaded web shells to get into their server and from their gather the credentials necessary in order to get into the system. Would Apache be to blame for this given that it is their software that had a bug and that they announced it publicly? https://www.wired.com/story/equifax-hack-china/
The data breach at Mercedes-Benz USA had compromised some of their customers sensitive personal data. The hackers were able to stay within the Mercedes-Benz network for three and half years. One of their vendors has informed them regarding the data breach as the data was accessible on of the cloud storage. The hackers were able to gain access to customers driver license number, social security numbers, credit card information, and date of birth. Mercedes-Benz has also stated that their vendor has resolved that issue and such event wouldn’t replicate. Mercedes-Benz has also confirmed that their other systems were not affected from this incident. In addition, Mercedes-Benz also said that the information that was being compromised could only be accessible to someone on internet that would have specific software program knowledge. It was not easily searchable on the internet. Out of those 1000 users Mercedes-Benz stated none of the user’s information was being missed used due to this data breach.
The article I read this week was titled “CIOs Team Up With Other Executives to Counter Cyber Threats ” and it describes the collaboration between senior staff due to government regulations and mounting cyber attacks. The senior director of IS security at Alphabet, inc, Heather Adkins, said that CIOs must work with other executives to build lasting and resilient technology architecture. She also used Google as an example, stating that the CIO works collaboratively with CISOs, security staff, risk officers, etc because it is helpful to draw on that expertise to make technological decisions. She also stated that culture, business objectives, and leader drive need to work in lockstep. Google realized the benefits when it dealt with Operation Aura, which was a large scale cyber attack in which Chinese hackers targeted tech companies for user information and intellectual property. Collaboration at Google resulted in the creation of BeyondCorp, which is described as “an early form of zero-trust architecture, in which hackers are assumed to have already broken in, and security’s job is to stop them from moving around a network.” Adkins said cyber attacks are similar to how they have been throughout the years, but they are happening more often and even faster, which increased the need for collaborative relationships. On top of that, there is increased government scrutiny of cybersecurity preparedness, due to recent events such as the oil pipeline attacks. Some examples include the Biden administration implementing “zero-trust cybersecurity requirements” and the Treasury Department giving incentives to companies that report cyber incidents quickly by promising “consideration in future enforcement”.
I figured that since we were in the topic of Cyber breaches for the Use Case I would look up related articles centered around this subject. Then I came across this article. It highlights the exact reasons why companies need to be strict in implementing strict password policies for credentials. Especially for companies responsible for critical infrastructure since attackers know that these operations likely yield higher impact which means more money in the ransom.
But what is incredibly concerning in the article is that when researches investigated the database they found 653 instances of breached credentials pertaining to the company. One of the breached credentials was “chicken1”, which is not only hilarious but at the same time extremely concerning given that a recent ransomware attack is disrupting supply chains from the company. The attackers know this too, which is why when imposing the moral argument towards the company the group of hackers known as “BlackMatter” made it precisely clear: No Ransom, No Network. To put in the perspective of how much impact this likely costs NEW Cooperative, the hacker group is demanding $5.9 million dollars in ransomware.
The article also acknowledges the FYEO, a database that contains over 20 billion leaked passwords, and investigates the nature of the attack and why recent ransomware families are becoming more of a threat. Overall interesting article.
I read this article back in June where it was found that First American Financial, which is the second largest mortgage title and settlement company in the US, exposed over 800 million documents with some containing sensitive customer financial data. Krebs writes, “Roughly five months before KrebsOnSecurity notified First American that anyone with a web browser could view sensitive document in its “Eagle Pro” database online just by changing some characters at the end of a link, an internal security audit at First American flagged the exact same vulnerability”. Similar to the Target case, First American was actually alerted of the exposure but chose to take no action until the news media became heavily involved. What I also found interesting is that like Target, First American also had controls in place to identify and categorize these types of attacks/incidents. However, while Target chose to disable their IPS tool from removing potential malicious software and ignore potential threat alerts, First American did identify the potential threat but didn’t accurately categorize it’s severity. At the policy level, it was found that First American also did not meet their own internal remediation efforts, which requires an incident rated as a level 2 or “low” risk to be remediated within 90 days upon identification.
The New York State Department of Financial Services (NYDFS) is currently in the process of an investigation into the breach and we know from the article the Securities and Exchange Commission (SEC) hit First American with a 500K fine as a result of the breach. However, it’s clear that the customers are the biggest losers in all of this. Governmental rules and regulations need to be enhanced to hold company’s more accountable, such as steeper fines, when they are storing personal customer data in order to protect them.
This article is a great overview of the epidemic of ransomware. It does justice to the topic by pointing out it is a complex convergence of geo-politics, IT automation across virtually all businesses, the global reach of the internet and crypto currencies as an enabler. It does reference what the US govt is contemplating doing to combat this issue, but I remain skeptical that they will be able to do much in the short term. I personally think that making it illegal to pay ransom is short sighted and possibly a form of victim-blaming. A better approach will be to enable organizations to achieve a higher degree of cyber-security more easily and for lower cost.
There is an activist/hacktivist group known as Anonymous. They have a lot of notoriety for cyber attacks that were targeted at governments, corporations and even Boston Children’s Hospital. More recently they have taken credit for hacking Epik, which is “a web host and domain registrar that provides services to far-right sites”. Not only did they partake in the data breach, consequently they decided to leak 180 gigabytes of data, and make it all accessible to anyone on a torrent file. Anonymous did not disclose much information about how or when they compromised Epik’s systems, however timestamps suggest that it all occurred sometime last February.
On September 15th Epik’s founder and chief executive Robert Monster sent out an email to alert users of the “alleged security incident.” However, according to Security researcher Corben Leo, he contacted Robert Monster via LinkedIn to no avail. His message was an attempt to warn Monster that there was a 10 year old vulnerability “that allowed anyone to remotely run code directly on the internal server without any authentication, such as a company password.” (Zack Whittaker) Unfortunately Robert Monster perceived the message as spam and took no action to prevent what would inevitably follow afterwards.
The article talks about data breaches that primarily regarded as a permanent threat to all kinds of companies in the 21st century. Though , if the kinds of breaches are different, the impacts are always the same. This article pay heed on examining over 9000 data breaches being made public since 2005 and contributed hugely to the loss of 11,5 billion individual records which have a huge financial and technical repercussion. Also, since the most dreadful breaches are hacking breaches, On the other hand, the breaches caused by human factor are waning which can be attributed to the awareness of employees and the application of security standards. This article would improve the state of knowledge about hacking breaches and help in securing organizations’ data prioritizing the most affected sectors so as to ensure effectiveness and efficiency in their determinations. https://www.sciencedirect.com/science/article/pii/S1877050919306064
A cyber-attack has been carried out against major German logistics provider Hellmann Worldwide Logistics. The security incident forced Hellmann to take its central data center offline yesterday. Today, operations at the Osnabrück-based company remain disrupted.
Hellmann said that since the attack was discovered, it has been under the constant observation of its Global Crisis Taskforce, which is analyzing the incident. The company has also hired “external renowned security specialists” to investigate the attack.
Victoria Zak says
According to ABC, Wawa had a security breach happen between March 4, 2019 & December 12 of 2019 by a malware. Since a lot of customer’s personal information has been leaked, Wawa is paying $9 million in cash and gift cards to those who are affected. Human beings who are affected by the security breach can file a claim form until November 29th of 2021. The malware that affected Wawa, was potentially at the gas pumps and inside the store.
There are 3 tires for the human beings affected:
Tier 1- People who used their card during March 4, 2019 & December 12 of 2019 but was not affected, can receive a $5 Wawa Gift Card
Tier 2- Those who are affected and can provide proof of attempted/actual fraud after the transaction, receives a $15 Wawa Gift Card.
Tier 3- Customers who lost money with the documentary proof can get reimburse up to $500.
Reference:
https://6abc.com/wawa-data-breach-claim-form-settlement-gift-cards/10991972/
Lauren Deinhardt says
Israeli spyware firm targeted Apple devices via iMessage, researchers say
Citizen Lab, a Canadian software research company, recently discovered a vulnerability within iPhones which has been linked to an Israeli company, NSO Group, for spyware purposes. Dubbed FORCEDENTRY, this zero-day vulnerability manipulated Apple iMessage technology to send corrupted files via SMS that appeared as gifs, but actually turned out to be Adobe PDFs containing malware. Citizen Labs believe that NSO Group has been using the FORCEDENTRY vulnerability in granting their clients spyware capabilities, through their Pegasus software program. Pegasus can silently hack into a phone, collect PII, intercept calls, amongst other violations of privacy. Although the names of NSO Group clients have not been disclosed, the recent Pegasus Project publication revealed spyware connections that targeted journalists and human rights activists globally. NSO Group claims that their services are only granted to government/law enforcement agencies, however. Citizen Labs was able to link FORCEDENTRY to NSO Group explicitly, due to the unique nature of the vulnerability which had only ever been associated with NSO Group in the past. Apple remediated the vulnerability within hours through a rapid patch.
An interesting quote form this article is from the engineer at Citizen Lab who first discovered the exploit: “ As presently engineered, many chat apps have become an irresistible soft target. Without intense engineering focus, we believe that they will continue to be heavily targeted, and successfully exploited”. Millions of people use iMessage, or any chat platform, proving virtual messaging to be a soft target and overall susceptible asset. Vulnerabilities like FORCEDENTRY demonstrate how critical it is to patch/update personal technology, and protect the civilian population from exploits on the daily.
https://www.theguardian.com/technology/2021/sep/13/nso-group-iphones-apple-devices-hack-patch
Michael Jordan says
“The Zero-Trust Approach to Managing Cyber Risk Explained”
Published 9/14 @ 5:30AM in WSJ
Written by David Uberti
The article that i chose to summarize this week discussed what is being called the “zero-trust approach” to managing cybersecurity. It is already implemented by many government agencies and large companies, but is being pushed on all entities over time due to the interconnectivity of the internet.
The zero-trust treats an user, device, or app as a potential threat. Users need verification of identity and ability to access most or all data, instead of just one perimeter defense.
It also involves cataloging all devices, using MFA or biometric authentication, monitoring connections in real time, better access controls, better policies with old technology, and more isolation of different departments/networks.
Biden released an executive order requiring all government entities to have the above listed defenses by September 2024. This policy was strongly influenced by the recent Solarwinds hack, in which 9 federal agencies and dozens of US businesses were breached.
Theresa Payton, White House CIO under George Bush, says that the zero-trust approach will be like a “lifestyle change”, due to the fact that it will take a l0ng time. It will also cost a lot of money to upgrade and replace older systems.
https://www.wsj.com/articles/the-zero-trust-approach-to-managing-cyber-risk-explained-11631611801?mod=tech_featst_pos2
Matthew Bryan says
I really like the concept of zero trust and think it will help address many of the issues facing companies today. That said, I struggle with the costs of implementing this as alluded to in the quote below.
“CISA warned that the effort could require many agencies to rebuild or replace much of their existing information-technology infrastructure.”
I am curious about how effective partial zero trust would be given that some companies may opt not to replace some of their infrastructure and accept the risks.
Christopher Clayton says
“Fitbit, Apple user data exposed in breach impacting 61M fitness tracker records”
This past June, a non-password protected database that is connected with fitness tracking exposed records of fitness users through their tracking app devices. The unsecured data came from GetHealth, a New York based company that provides health and wellness data from apps and wearable devices. Security researchers discovered over 61 million records from all over the world that were affected contained names, date of birth, weight, height, gender, and geo-location of users. Even though the information did not contain extremely sensitive information such as social security numbers or credit cards, “all data are valuable, and could be used to carry out other attacks, to commit fraud or extortion or obtain more targeted health information.” Fortunately, the system was secured due to GetHealth’s quick response after security researcher notified them of the security findings.
https://www.fiercehealthcare.com/digital-health/fitbit-apple-user-data-exposed-breach-impacting-61m-fitness-tracker-records
Dan Xu says
Large companies should pay more attention to maintaining user privacy, such as the user’s name and geographic location. Protecting customer privacy is within the scope of the company’s services, because applications and health data of wearable devices are at risk of information leakage. Companies such as Apple should strengthen data security management to avoid huge losses caused by data leakage.
Dan Xu says
“Cyber-crime: Irish government briefed by cyber security authorities”
The news described Ireland’s healthcare system in Ireland as the target of cybercriminal attacks twice, and it has been called the largest attack in the history of the state of Ireland.
Although the Irish government has stated that it will ensure the restoration of medical services as soon as possible, it will not spend any money to restore data. In terms of this measure, I think the Irish government may need to spend more attention on maintaining the stable operation of the website.
https://www.bbc.com/news/world-europe-57149087
zijian ou says
On September 15, 2021, Microsoft announced that it intends to let users remove passwords from their Microsoft accounts and go password-free. Microsoft said users would remove passwords from their consumer accounts and choose alternative authentication options, such as security keys. Authentication codes sent via email or SMS—Windows Hello biometric system. or the Microsoft Authenticator mobile app. In a blog post announcing the initiative today, Vasu Jakkal, corporate vice president of security, compliance, identity, and management at Microsoft, said Microsoft is currently seeing up to 579 password attacks per second, or 18 billion per year. Jakkal blamed the situation on today’s authentication challenges. Users have difficulty remembering account passwords and often choose to reuse the same passwords for multiple accounts or use simple passwords – which are accessible for attackers to guess.
https://therecord.media/microsoft-to-let-users-completely-remove-account-passwords-and-go-passwordless/?web_view=true
Richard Hertz says
I think this is a very important development that is not getting enough attention. Passwords and their management is the bane of many users’ existence! The requirement that passwords be ever more complex and difficult to remember has driven re-use which subverts the desire to have more security. Add in the requirement that users need to change passwords regularly and it leads to a horrible (and not necessarily more secure) user experience!! The fact that someone as big and influential as Microsoft is willing to take this step for their online services will potentially be game changing for all of us!
Andrew Nguyen says
This article details that shadow IT and misconfigured APIs accounted for two-thirds of cloud breaches in the past year.
Over half the breaches came about as a result of shadow IT. Shadow IT is when systems are spun up without being subject to corporate security policy – therefore lacking vulnerability and risk assessments and hardened security protocols.
Two-thirds of the incidents detailed improperly configured APIs, for example an API that provides access to sensitive information, but not having any authentication controls for the API itself, allowing anyone to access that information.
This was pretty surprising to me, as it seems like a vast majority of these breaches could have been prevented by following standard security protocols. However, this does reinforce the fact that human error/negligence is the primary source of failure when it comes to loss.
https://www.infosecurity-magazine.com/news/misconfigured-apis-cloud-breaches/
Matthew Bryan says
Shadow IT can be a frustrating occurrence. I’ve seen this in my work with people spinning up cloud applications without the proper diligence. It’s a balance when restricting these services as the intentions of the employee are often good, i.e. they want to increase productivity, but they don’t have the security awareness to implement this correctly.
Kelly Sharadin says
In this article from Dark Reading, brute-force attacks remain one of the primary cyber attacks. Password attacks even increased in frequency in 2019 as a result of the transition to work from home. Even though there was a media frenzy surrounding large-scale disclosed vulnerabilities such as the recent Exchange vulnerabilities, brute-force attacks are the path of least resistance for attackers. This is partly because many users have poor password management and even reuse passwords. As it relates to our reading this week, providing your users’ security awareness training such as using password managers or MFA can be a low-cost security solution that can yield significant returns. As quoted in the article, you do not always need expensive security solutions or complex security controls. Instead, implementing security basics such as MFA or a robust password policy can minimize your attack surface.
https://www.darkreading.com/vulnerabilities-threats/brute-force-attacks-vulnerability-exploits-top-initial-attack-vectors
Matthew Bryan says
This is interesting that brute attacks continue to be a top vector. I was recently talking with a coworker about the changes to https://pages.nist.gov/800-63-3/sp800-63b.html#appA as it relates to passwords. I think the application of password blacklists may have the best ROI. Users can be creatures of habit and select common, easy to guess combinations. This coupled with a strong compromised credential detection should reduce the effectiveness of brute force attacks in the future.
Mohammed Syed says
Virginia Beach woman gets 12 years in prison for massive coupon scam
Based on the article, a huge counterfeit coupon scheme damaged consumers, retailers and manufactures nationwide, and a $31.8 million loss occurred due to phony discounts created by Lori Ann Talens. She ran this scheme from April 2017 to May 2020, and pleaded guilty to all types of fraud such as mail fraud, wire fraud and health care fraud, along with her husband who supported her in the scam.
Lori Ann had excellent knowledge of how point of sale systems operated, so she used her knowledge to create counterfeit coupons, and by using social media she made fake vouchers that were virtually blurry from authentic coupons. She and her husband used Facebook and Telegram to find groups of coupon fanatics and sold them counterfeit coupons.
The biggest victims of the scam included makers and sellers of paper products, household products, Unilever and cleaning product companies. Manufacturers and retailers are now developing new technologies to weed out fake coupons, and trying to prevent future scams such as these from happening.
Matthew Bryan says
Given that we’re discussing the Target Breach this week, I thought it would be relevant to discuss the concept of “breach fatigue.” I wonder if this was a contributing factor to Target’s security team ignoring the alerts prior to the breach.
The seemingly constant onslaught of breaches in the news, coupled with companies internal alerts and investigations, fatigues security teams and CISOs. It’s important for organizations to effectively define and manage cyber risk so that they can prioritize responses in accordance with business goals. Failure to do this can lead to breach fatigue where it seems that everything is a priority and the security team’s effectiveness is reduced because everything warrants the same response.
The article outlines a few recommendations for CISOs and their security teams to manage fatigue. Appropriate and meaningful alerts must be configured for organizations in alignment with the business risks associated with the technology. Teams should not get caught up in the news cycle of cyber events and focus on the priorities defined by the business. When an incident does occur, a well crafted response plan, with clear customer communications is critical. Organizations must be willing to change in response to incidents and stave off complacency. The feeling of breach inevitability must inspire teams to define risks, prepare responses, and learn from the past, instead of succumbing to the paralysis of breach fatigue.
Article: Can CISOs afford to have data breach fatigue?
Author: Anurag Gurtu
Published: August 31, 2021
Link: https://www.securitymagazine.com/articles/95985-can-cisos-afford-to-have-data-breach-fatigue
Antonio Cozza says
As many may have heard of the Open Web App Security Project, or OWASP, this article discusses an interesting topic in security lately: OWASP has just released its 2021 draft of its famous annual top 10 most common web application vulnerabilities. The list is published in an effort to assist in securing web applications, with major emphasis on the design stage. It provides reasons why the CWEs, or common weakness enumerations, exist, as well as techniques to implement to combat these weaknesses. Each year, the list is compiled through extensive research on a massive number of web applications, and the changes that occur from year to year are interesting to observe as they provide insight on how security architecture is changing as well as how the most common methods to exploit the major vulnerabilities vary.
This year, as the article points out, the number one vulnerability is broken access controls, with an astounding 34 CWEs mapped to it. This is especially interesting because broken access controls has slowly crept up the list over the past few years, being number 5 in 2017. Two new vulnerabilities were also added to the list this year: “insecure design” and “software and data integrity failures,” easily relatable to our discussions on integrity throughout the class regarding CIA.
While the article is brief, it contains very relevant information to security professionals. The second biggest vulnerability this year is cryptographic failures. As examples, it cites “hard-coded passwords” and generally bad and insecure practice like the lack of salting or hashing passwords, and “not enforcing TLS,” meaning that there is high possibility/probability of an insecure session and data request to a server during login such that a traffic sniffer may be able to see the user credentials in cleartext.
https://www.theregister.com/2021/09/10/owasp_top_ten_appsec_list/
Madalyn Stiverson says
China’s Personal Information Protection Law (PIPL) is becoming effective November 2021. This law implements GDPR-like restrictions. It has 4 main goals:
Protect the rights and interests of individuals
Regulate personal information processing activities
Safeguard the lawful and “orderly flow” of data
Facilitate reasonable use of personal information
Where the PIPL differentiates itself from the GDPR and CCPA is it’s secondary focus on national security. All companies doing business in China or processing the data of Chinese citizens will need to comply with the PIPL.
How companies will be able to comply with the law is still uncertain. This is because certain portions of the law still need to be written by certain regulatory bodies.
There is also concern that this new law will inhibit a company’s visibility into whether they are OFAC compliant. OFAC screening typically involves exporting customer data and comparing it to a prohibited party list. However, the PIPL will limit our ability to export this data and will also increase the privacy rights of Chinese citizens.
Madalyn Stiverson says
Article link:
https://www.csoonline.com/article/3631611/chinas-pipl-privacy-law-imposes-new-data-handling-requirements.html
Michael Galdo says
Apple Issues Emergency Fix for NSO Zero-Click Zero Day
Over the past couple days, Apple has issued statements asking their product users to update their devices immediately. This update included the installation of an emergency security patch for a zero-click exploit which can infect a device without any human interaction. The reason behind this exploit is believed to be to spy on Bahraini activists. The phones of 9 Bahraini activists were found to be breached and the vulnerable spot was found to be a structural improvement introduced by Apple called BlastDoor. BlastDoor was meant to prevent these types of attacks but was not successful.
https://threatpost.com/apple-emergency-fix-nso-zero-click-zero-day/169416/
Ornella Rhyne says
This article is about a data breach that happened on Aug 16th at New York University exposing 47,000 citizens. They are not sure whether the breach affected students or employees but The Research Foundation for the State University of New York (SUNY) announced it detected unauthorized access to its networks earlier this year.
The incident was discovered on July 14, and reportedly involved Social Security numbers.
https://portswigger.net/daily-swig/data-breach-at-new-york-university-potentially-affects-47-000-citizens
Ryan Trapp says
I discovered this article about how the Italian mafia was participating in an operation that were stealing money via phishing, social engineering, and sim swapping. The mafia mainly extracted the money after hijacking individuals bank accounts. Afterwards the money was laundered and stored in shell companies. This operation resulted in about $11.7 million dollars profit before it was broken up by police. I found this article very interesting due to the idea that even the traditional mafia/gang groups are employing cyber criminals and as a result a lot of their income is transitioning to being acquired through these nefarious methods.
https://www.theregister.com/2021/09/21/europol_arrests/
Dhaval Patel says
Critical infrastructure is once again under attack by cybercriminals. NEW, an Iowa-based farm service provider turned their system off to contain the cyber incident. It seems as though the cybercriminal group blackmatter conducted a ransomware attack and has stolen NEW’s data. NEW operates grain storage elevators, they buy crops from farmers, sell fertilizer and other chemicals that may be necessary to grow crops. Given these services, NEW is an important player in the agricultural industry, and downtime of their systems is impactful to their customers as this is the time of year where farmers will start delivering crops to NEW’s elevators.
https://www.reuters.com/technology/iowa-farm-services-company-reports-cybersecurity-incident-2021-09-20/
Wilmer Monsalve says
This weeks case study had me interested on how Equifax got hacked. Given that they are responsible for protecting sensitive information of millions of citizens, it would be ideal for it to be secure. The article encompassed the strategies used by the 4 Chinese hackers as they took advantage of the announcement made by Apache regarding the vulnerabilities within its web applications. It was very quick on how they acted to hack Equifax as the announcement was made on March and later on in May the team of 4 had used SQL scripts to get a select sample of records from Equifax database. They then uploaded web shells to get into their server and from their gather the credentials necessary in order to get into the system. Would Apache be to blame for this given that it is their software that had a bug and that they announced it publicly?
https://www.wired.com/story/equifax-hack-china/
Vraj Patel says
The data breach at Mercedes-Benz USA had compromised some of their customers sensitive personal data. The hackers were able to stay within the Mercedes-Benz network for three and half years. One of their vendors has informed them regarding the data breach as the data was accessible on of the cloud storage. The hackers were able to gain access to customers driver license number, social security numbers, credit card information, and date of birth. Mercedes-Benz has also stated that their vendor has resolved that issue and such event wouldn’t replicate. Mercedes-Benz has also confirmed that their other systems were not affected from this incident. In addition, Mercedes-Benz also said that the information that was being compromised could only be accessible to someone on internet that would have specific software program knowledge. It was not easily searchable on the internet. Out of those 1000 users Mercedes-Benz stated none of the user’s information was being missed used due to this data breach.
Reference: https://portswigger.net/daily-swig/mercedes-benz-usa-admits-some-customers-credit-card-details-drivers-license-numbers-were-accessible-for-3-5-years
Alexander William Knoll says
The article I read this week was titled “CIOs Team Up With Other Executives to Counter Cyber Threats ” and it describes the collaboration between senior staff due to government regulations and mounting cyber attacks. The senior director of IS security at Alphabet, inc, Heather Adkins, said that CIOs must work with other executives to build lasting and resilient technology architecture. She also used Google as an example, stating that the CIO works collaboratively with CISOs, security staff, risk officers, etc because it is helpful to draw on that expertise to make technological decisions. She also stated that culture, business objectives, and leader drive need to work in lockstep. Google realized the benefits when it dealt with Operation Aura, which was a large scale cyber attack in which Chinese hackers targeted tech companies for user information and intellectual property. Collaboration at Google resulted in the creation of BeyondCorp, which is described as “an early form of zero-trust architecture, in which hackers are assumed to have already broken in, and security’s job is to stop them from moving around a network.” Adkins said cyber attacks are similar to how they have been throughout the years, but they are happening more often and even faster, which increased the need for collaborative relationships. On top of that, there is increased government scrutiny of cybersecurity preparedness, due to recent events such as the oil pipeline attacks. Some examples include the Biden administration implementing “zero-trust cybersecurity requirements” and the Treasury Department giving incentives to companies that report cyber incidents quickly by promising “consideration in future enforcement”.
https://www.wsj.com/articles/cios-team-up-with-other-executives-to-counter-cyber-threats-11632255530
Michael Duffy says
I figured that since we were in the topic of Cyber breaches for the Use Case I would look up related articles centered around this subject. Then I came across this article. It highlights the exact reasons why companies need to be strict in implementing strict password policies for credentials. Especially for companies responsible for critical infrastructure since attackers know that these operations likely yield higher impact which means more money in the ransom.
But what is incredibly concerning in the article is that when researches investigated the database they found 653 instances of breached credentials pertaining to the company. One of the breached credentials was “chicken1”, which is not only hilarious but at the same time extremely concerning given that a recent ransomware attack is disrupting supply chains from the company. The attackers know this too, which is why when imposing the moral argument towards the company the group of hackers known as “BlackMatter” made it precisely clear: No Ransom, No Network. To put in the perspective of how much impact this likely costs NEW Cooperative, the hacker group is demanding $5.9 million dollars in ransomware.
The article also acknowledges the FYEO, a database that contains over 20 billion leaked passwords, and investigates the nature of the attack and why recent ransomware families are becoming more of a threat. Overall interesting article.
https://www.zdnet.com/article/after-ransomware-attack-company-finds-650-breached-credentials-from-new-cooperative-ceo-employees/
Bryan Garrahan says
https://krebsonsecurity.com/2021/06/first-american-financial-pays-farcical-500k-fine/
I read this article back in June where it was found that First American Financial, which is the second largest mortgage title and settlement company in the US, exposed over 800 million documents with some containing sensitive customer financial data. Krebs writes, “Roughly five months before KrebsOnSecurity notified First American that anyone with a web browser could view sensitive document in its “Eagle Pro” database online just by changing some characters at the end of a link, an internal security audit at First American flagged the exact same vulnerability”. Similar to the Target case, First American was actually alerted of the exposure but chose to take no action until the news media became heavily involved. What I also found interesting is that like Target, First American also had controls in place to identify and categorize these types of attacks/incidents. However, while Target chose to disable their IPS tool from removing potential malicious software and ignore potential threat alerts, First American did identify the potential threat but didn’t accurately categorize it’s severity. At the policy level, it was found that First American also did not meet their own internal remediation efforts, which requires an incident rated as a level 2 or “low” risk to be remediated within 90 days upon identification.
The New York State Department of Financial Services (NYDFS) is currently in the process of an investigation into the breach and we know from the article the Securities and Exchange Commission (SEC) hit First American with a 500K fine as a result of the breach. However, it’s clear that the customers are the biggest losers in all of this. Governmental rules and regulations need to be enhanced to hold company’s more accountable, such as steeper fines, when they are storing personal customer data in order to protect them.
Richard Hertz says
https://nymag.com/intelligencer/article/ransomware-attacks-2021.html
This article is a great overview of the epidemic of ransomware. It does justice to the topic by pointing out it is a complex convergence of geo-politics, IT automation across virtually all businesses, the global reach of the internet and crypto currencies as an enabler. It does reference what the US govt is contemplating doing to combat this issue, but I remain skeptical that they will be able to do much in the short term. I personally think that making it illegal to pay ransom is short sighted and possibly a form of victim-blaming. A better approach will be to enable organizations to achieve a higher degree of cyber-security more easily and for lower cost.
Joshua Moses says
There is an activist/hacktivist group known as Anonymous. They have a lot of notoriety for cyber attacks that were targeted at governments, corporations and even Boston Children’s Hospital. More recently they have taken credit for hacking Epik, which is “a web host and domain registrar that provides services to far-right sites”. Not only did they partake in the data breach, consequently they decided to leak 180 gigabytes of data, and make it all accessible to anyone on a torrent file. Anonymous did not disclose much information about how or when they compromised Epik’s systems, however timestamps suggest that it all occurred sometime last February.
On September 15th Epik’s founder and chief executive Robert Monster sent out an email to alert users of the “alleged security incident.” However, according to Security researcher Corben Leo, he contacted Robert Monster via LinkedIn to no avail. His message was an attempt to warn Monster that there was a 10 year old vulnerability “that allowed anyone to remotely run code directly on the internal server without any authentication, such as a company password.” (Zack Whittaker) Unfortunately Robert Monster perceived the message as spam and took no action to prevent what would inevitably follow afterwards.
https://techcrunch.com/2021/09/17/epik-website-bug-hacked/
kofi bonsu says
The article talks about data breaches that primarily regarded as a permanent threat to all kinds of companies in the 21st century. Though , if the kinds of breaches are different, the impacts are always the same. This article pay heed on examining over 9000 data breaches being made public since 2005 and contributed hugely to the loss of 11,5 billion individual records which have a huge financial and technical repercussion. Also, since the most dreadful breaches are hacking breaches, On the other hand, the breaches caused by human factor are waning which can be attributed to the awareness of employees and the application of security standards. This article would improve the state of knowledge about hacking breaches and help in securing organizations’ data prioritizing the most affected sectors so as to ensure effectiveness and efficiency in their determinations.
https://www.sciencedirect.com/science/article/pii/S1877050919306064
Bernard Antwi says
Cyber-Attack on Hellmann Worldwide Logistics
A cyber-attack has been carried out against major German logistics provider Hellmann Worldwide Logistics. The security incident forced Hellmann to take its central data center offline yesterday. Today, operations at the Osnabrück-based company remain disrupted.
Hellmann said that since the attack was discovered, it has been under the constant observation of its Global Crisis Taskforce, which is analyzing the incident. The company has also hired “external renowned security specialists” to investigate the attack.
https://www.infosecurity-magazine.com/news/cyberattack-on-hellmann-worldwide/