Protection of Information Assets
October 6, 2021 by David Lanter 28 Comments
Andrew Nguyen says
October 8, 2021 at 10:05 pm
I came across this article that details how BrewDog (a Scottish brewery and pub chain) had an authentication error in their mobile app for over 18 months that exposed the PII of their customers.
Every mobile app user was given the same hardcoded API Bearer token, which rendered request authorization useless. It also enabled any user to access the PII of another user.
This affected over 200,000 shareholders (along with many customers), and their information had been exposed for over 18 months.
BrewDog currently gives users free beer around their birthday, and so this vulnerability could have been exploited by hackers who would get access to the PII of another user, generate a QR code in the mobile app, and receive free beer from BrewDog (for over 18 months!).
Although BrewDog said that it did not discover any evidence that hackers had stolen shareholder data, I would like to point out that the absence of evidence is not the evidence of absence.
I also find it very surprising that they had used a hardcoded API token for their application (although it may have been testing code that had never been removed – which begs the question of how it made it into the production version of the mobile app).
Overall, I found this article pretty entertaining, and a reminder that information security is as important as ever.
Matthew Bryan says
October 9, 2021 at 7:54 pm
Many companies needed to fast track Bring Your Own Device Policies (BYOD) during COVID-19 to maintain their business operations. BYOD policies allow employees to access company assets on personally owned devices. Often a mobile device management solution is used that helps the employee connect to company assets. Other set-ups use web applications tied to the employee’s company credentials to access resources.
The primary advantage of BYOD is the flexibility it affords to employees. No matter how robust the BYOD program is, personal devices are more vulnerable to attack. That said, there are some situations where BYOD should be avoided given the role of the employee. The author recommends revoking any BYOD access for administrators as their devices could be compromised providing the adversary with elevated credentials.
It’s important for companies to consider how they’ve implemented BYOD and whether this policy needs to change given current threats. Ultimately, this comes down to risk management and assessing how much risk should be assumed when an employee uses a personal device to complete their work.
Article: BYOD security warning: You can’t do everything securely with just personal devices
Author: Danny Palmer
Published: October 7, 2021
Christopher Clayton says
October 9, 2021 at 8:57 pm
“Ransomware: Cyber criminals are still exploiting these old vulnerabilities, so patch now”
Hackers are still able to utilize cyber vulnerabilities due to security updates not being enforced. An examination was done on these attacks via Common Vulnerabilities and Exposures (CVE’s) on ransomware attacks and was determined that these attacks continue to be defenseless because organizations are not updating their security. Java Runtime Environment was part of the list of vulnerabilities, and also Adobe software that attackers exploited successfully. This is always a difficult task for security teams keeping networks secured when applying patches, which makes hackers jobs scanning for vulnerabilities an easy task. Even though it is time consuming, patching to alleviate these vulnerabilities are still necessary in order to apply critical updates.
Kelly Sharadin says
October 10, 2021 at 4:46 pm
Following our case study this week, I found this interesting article from Dark Reading, which reports how new microprocessor technology, including cryptography acceleration, could allow for more secure medical hardware devices. The article highlights the importance of using threat and risk-based profiles specific to the medical device industry to implement the necessary controls best to mitigate vulnerabilities inherent to medical devices. This focus on bolstering hardware controls marks a massive shift from focusing solely on software-based security controls, as seen in the past. Focusing security on immutable layers, such as using cryptography keys rooted directly into the medical hardware itself, reduces the likelihood of reverse engineering and tampering. However, medical device manufacturers will need to work together to make this a reality.
Corey Arana says
October 11, 2021 at 7:55 pm
From an article dated 10/4/21 Coinbase the cryptocurrency exchange has been hacked. The incident took place between March and May 20th 2021.A vulnerability in their two-factor authentication is believed to be the reason for the breach. A third-party actor has gained access to at least 6,000 user accounts and stole funds. Coinbase is unable to determine how the actor was able to obtain the confidential information but believe it involved phishing or other social engineering techniques to gain access. There appears to be a flaw in the SMS based authentication which allowed the actors to bypass the additional line of defense. Name, email, address, DOB and account information are some of the potential information taken in the breach.
Wilmer Monsalve says
October 11, 2021 at 9:38 pm
In this article it explains how a hacker was able to get medical health records that contained PII from multiple hospitals just by breaching a security camera vendor. It mentioned that approximately 75% off hospital breaches derived from third party vendors. It noted that admin maintenance is crucial as if user access controls could’ve helped prevent this indirect attack to all hospitals. With indirect attacks being just as threatening as direct ones, wouldn’t it be better to just limit third party vendors as much as possible and make anything that is possible in house in order to eliminate any vulnerabilities.
Richard Hertz says
October 12, 2021 at 5:55 pm
This sounds very worrisome – that our health records can be exposed due to a security camera vulnerability. However, I was talking to someone who works in health care and they let slip that a major health care provider in the North East still has instances of Windows NT still running in their network – yikes! This incident though, sounds a lot like the Target breach where they came in via HVAC and ended up in the POS system.
That someone can breach a perimeter device like a security camera is disappointing, but should be expected. That they can then traverse the internal network to get to patient medical records is a major failure!!
October 12, 2021 at 8:29 pm
Windows NT is very surprising and concerning! I think the Zero Trust model will help provide some relief with third party breaches. It’s becoming too difficult to establish and maintain trust between connected parties.
zijian ou says
October 12, 2021 at 10:19 am
“Microsoft: Iran-linked hackers target US defense tech companies”
Iran-linked threat actors target the Office 365 tenants of US and Israeli defence technology companies in extensive password spraying attacks.
In password spray attacks, threat actors attempt to brute-force accounts by using the same passwords across multiple accounts simultaneously, which allows them to hide failed attempts using different IP addresses.
This enables them to defeat automated defences like password lockout and malicious IP blocking designed to block multiple failed login attempts. The activity cluster was temporarily dubbed DEV-0343 by researchers at Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU), who have tracked it since late July.
October 12, 2021 at 8:43 pm
It is concerning how the bad actors defeated password lock outs. It shows the importance of using unique passwords and multi-factor authentication when securing accounts.
October 12, 2021 at 4:52 pm
A report about authorities in the Ukraine arresting an individual who was running a 100,000 strong bot network. The size of the network sounds large, but the largest recorded were closer to 1m strong. None the less, this is a sizable network. The individual is accused of advertising their services on several public social media platforms and taking payments via Russian hosted cyber platforms.
I think this is noteworthy because I hope it represents a renewed effort to clamp down on perpetrators of cyber events in Eastern Europe.
Dhaval Patel says
October 12, 2021 at 5:13 pm
New data from PWC shows that 2/3 of organizations are going to increase their cyber budget in 2022 to better protect their systems, however many organizations have realized that their systems are overly complicated and as a result lead to increased risk. The complexity of infrastructure has increased cost, but with little in return, many of the cyber attacks currently occurring could be prevented by simple cyber security practices – as stated by PWC executives.
October 12, 2021 at 8:09 pm
This was an interesting read. It’s a good reminder that sometimes the solution isn’t more technology and that less is more. The practice of the 5 Why’s may help organizations trying to scale back their infrastructure to reduce risk. The can help to get to the core of an issue and what decisions lead to it.
Ryan Trapp says
October 12, 2021 at 7:32 pm
Apple has pushed out an iOS update that fixes an “actively exploited” zero-day exploit. This is a memory corruption issue, as described by Apple and updating to iOS 15.0.2 will patch this bug. The article also talks about a new malware strain for iPhones called Pegasus, which is one of Israeli malware vendor NSO Group’s products. The reason why this malware strain is so critical is that it is capable of spreading without user interaction, i.e. a “no click install”. This malware is often sold to nation states for surveillance purposes and has widely been used to spy on human rights activists under authoritarian rulers in other countries.
Michael Galdo says
Office 365 Spy Campaign Targets US Military Defense
A new threat, which has been dubbed DEV-0343, has been attacking U.S. and Israeli defense technology companies,Persian Gulf ports of entry, and global maritime transportation companies in an attempt to takeover Microsoft Office 365 accounts. Microsoft released an alert on October 11 stating that they are aware of the attacks and that these attacks are being traced back to attackers with ties to Iran. The attackers are conducting password spraying against Office 365 accounts in an attempt to successfully gain access to an account. 250 companies that use Microsoft’s cloud-based Office suite have been attacked, but less than 20 of these companies have been compromised. Microsoft has recommended that users enable multi-factor authentication, use password less solutions, review access policies, and block all incoming traffic from anonymizing services.
Jason Burwell says
October 12, 2021 at 8:59 pm
Twitch source code and creator payouts part of massive leak
Twitch appears to have been hacked, leaking source code for the company’s streaming service, an unreleased Steam competitor from Amazon Game Studios, and details of creator payouts. An anonymous poster on the 4chan messaging board has released a 125GB torrent, which they claim includes the entirety of Twitch and its commit history.
Alexander William Knoll says
October 12, 2021 at 9:10 pm
“Defense Official Quit because US Cybersecurity is No Match for China'”
This week I read an article published yesterday on Business Insider about, as the title suggests, a Pentagon official, Nicolas Chaillan, who quit because he does not believe the United States can keep up with China in terms of artificial intelligence and cyber security. Chaillan joined the Air Force as a chief software officer in August 2018 to equip the Pentagon with secure and advanced software, but resigned just 3 years later. He spoke to Financial Times, stating that China was far ahead of the US in this realm, and in 15-20 years from now, we will not be able to keep up, calling US governments AI capabilities and cyber defenses “kindergarten level”. US departments have been the victim of several hacking/ransomware attacks in recent years, such as in April of 2020 when SolarWinds hackers were able to spy on digital actives of employees. Chaillan also added that national security is compromised because prominent companies such as Google refuse to work with the US on the matter, whereas Beijing had all the support of top Chinese tech companies. China is believed to become the AI superpower by 2030, and the US is not prepared to defend, and even if the US was to commit more resources it would not matter, because the budget is being allocated to the wrong areas. Chaillan plans to testify to Congress on his beliefs on China, and the Pentagon is yet to release a response.
Lauren Deinhardt says
October 12, 2021 at 9:51 pm
A Pentagon official said he resigned because US cybersecurity is no match for China, calling it ‘kindergarten level’
Recently, a cybersecurity official, Nicolas Chaillan, in the Pentagon stated that he resigned because he thought it was impossible for the US to compete with China in artificial intelligence (AI). Reasoning for this is how the US refuses to prioritize AI, describing it to be at a “kindergarten level” in comparison to other nations. To further his point, the US has been victim to numerous hacking attempts and ransomware attacks throughout recent years, such as the Solarwinds attack which left the Dept. of State, Dept. of Homeland Security, and Dept. of Defense in a compromised state. In addition, national security has been further compromised by Google refusing to work with the Pentagon on AI, since the government chose to use cyber strategies to improve drone attacks. According to the National Security Commission, China is aiming to becoming the leading AI superpower by 2030, and the US is not prepared to defend against any AI threats. Tying back to this case study and management’s overall reluctance to invest on cybersecurity, the government is no different. Chaillan quit his prestigious job because the Pentagon is reluctant to commit to cybersecurity, stating that: “(he is) just tired of continuously chasing support and money to do my job. My office still has no billet and no funding, this year and the next”. Chaillan is also reported to be testifying his concerns in front of congress regarding the unaddressed threat posed by China.
Bryan Garrahan says
October 12, 2021 at 10:31 pm
In most cases, there is very minimal, if any, collaboration between the business and IT. This article talks about how this organization was able to improve by getting the business involved in the security process of identifying vulnerabilities in their system(s). The CISO was able to gain buy in from the CEO, and with a top down approach, made security a business issue rather than a technology issue. The article notes, “The CEO put the responsibility for this KPI on each business unit’s managing director, rather than onto the IT department. This forced the business to integrate better with IT across all operations”. The CEO and CISO believed vulnerabilities could be more accurately identified and assessed with each department being responsible for managing their systems vulnerabilities. Furthermore, this approach would greatly reduce the risk of ransomware or other malicious attacks.
Joshua Moses says
October 12, 2021 at 11:10 pm
I first saw this story on post on Instagram. I didn’t really believe it to be true until I googled it for verification and reassurance. It seemed like big news and I wasn’t going to be surprised if I saw any other classmates reference the story (which they did)!
A Pentagon official named Nicolas Chaillan has resigned due to; “the Pentagon’s reluctance to make cybersecurity and AI a priority”. According to Chaillan, China is outclassing the United States in both Artificial Intelligence and Cyber Security. He also complained; “I am just tired of continuously chasing support and money to do my job. My office still has no billet and no funding, this year and the next,” he wrote.
According to the article; “A number of US departments have been subject to hacking attempts”
• The US Treasury
• Department of Homeland Security
• State Department
• Department of Defense
& still the Pentagon has yet to take the appropriate actions! Nicolas Chaillan plans to express his concerns about China in his testimony to congress. I think that will be very interesting, and I definitely plan to tune in!
Ornella Rhyne says
October 12, 2021 at 11:17 pm
This article is about a data breach that happened after an August ransomware attack at Quest-owned fertility. It says that approximately 350,000 patients of ReproSource had their medical data leaked, and some even had SSNs and credit card numbers exposed as well. In a statement to ZDNet, Quest said ReproSource provided notice that it experienced a data security incident in which an unauthorized party may have accessed or acquired the protected health information and personally identifiable information of some patients.
Michael Jordan says
October 12, 2021 at 11:52 pm
The article I read is titled “20 Years Later, the Y2K Bug Seems Like a Joke—Because Those Behind the Scenes Took It Seriously”. It was published online via Time Magazines website, and written by Francine Uenuma.
The article mainly talks about how when the year 2000 hit, the average person thought that the widely talked about Y2K catastrophe was a big hoax and that the government was just trying to scare everyone. People went from stocking up on food, water, and guns (due to the belief a computer-induced apocalypse was coming), to completely disregarding the potential issues that were fixed by the hard work of tech industry employees.
It is estimated that over $100 billion was spent in the United States to combat potential consequences of the Y2K issue, which required extensive coordination on local, national, and international levels. The average citizen did not realize that people began working on this issue a decade in advance, especially because tech workers many times did not publicize their work due to fear of public failure or humiliation if their implemented solutions did not work and ended in catastrophe.
John Koskinen, President of Bill Clintons Y2K group focused on making sure everything ran smoothly on January 1st, 2000, voluntarily (or maybe not) was on an airline flight as the clock struct midnight on New Years Eve. He did this to ease the general public and show them his confidence that Y2K issues had been widely corrected, and that everything would run smooth in the New Year. Highlighting the potential problems that could have arisen if no work was done to fix the Y2K issue, Koskinen at one point said, “If nobody had done anything, I wouldn’t have taken the flight.”
Antonio Cozza says
October 13, 2021 at 1:38 am
This article details the creation of a new effort by Google for defensive measures in the ever-evolving cyber attack/defense landscape. Google has just recently announced the formation of its newest line of defense against the increase in cyber attacks among major businesses: the Google Cybersecurity Action Team. The GCAT is comprised of cybersecurity experts within Google whose new mission is to help enterprise and government partners strengthen their cybersecurity postures as help is needed in incident response, advisory services, and methods of securely deploying Google Cloud. The team was created with a strong goal in mind: to become the “world’s premier cybersecurity advisory team.” Google has been receiving positive feedback regarding the creation of this team, especially by its fellow members of the Joint Cyber Defense Collaborative, which was created to help defend the US against cyberattacks. Google Cloud is also a member of the JCDC. The GCAT is just one of the presumably many to come solutions of cybersecurity advancement sought by Google in light of the recent announcement made regarding a $10 billion investment in improving cybersecurity. Other projects include the Work Safer program which addresses the vulnerability of increased remote workers that many businesses are now facing. I think this is good progress towards a potentially countrywide improved cybersecurity posture and addressing remote workers is a major security concern for many organizations so it will be interesting to see how effective this team becomes and whether or not it is able to effectively help Google partners defend themselves.
Victoria Zak says
October 13, 2021 at 5:27 pm
“Critical Flaw in OpenSea Could have Let Hackers Steal Cryptocurrency from Wallets”
OpenSea is known for rare digital items and crypto collectibles. They buy, sell, auction and discover what is called, “CryptoKitties.” OpenSea believed the critical flaw could have let hackers steal crypto current from wallets. However, they could have been abused by draining cryptocurrency funds from a victim sending a token, opening a new attack vector for exploitation. A checkpoint researcher said, “Left unmatched, the vulnerabilities could allow hackers to hijack user accounts and steal entire cryptocurrency wallets. by crafting malicious NFTs.”
An example of NFT are photos, videos, audio, and other items used to be sold on Blocktrain.
Vraj Patel says
October 13, 2021 at 9:22 pm
There has been a recent data breach at Neiman Marcus Group. They have alerted 4.6 million customers regarding their data that was being compromised. The attacker was able to gain access to the customers debit/credit card and gift card information. This company has 34 stores across 17 states. The company has also stated that the stolen data may include the name of the customer, the card expiration dates, username and password that are used by their customers to login to their accounts, and the security question that are used to reset passwords if the customer forgets their password. After identifying this incident, the company had ensured the users that were affected passwords are being changed. They also had set up a call center that provided affected customer assistance with any question they have regarding the incident.
Dan Xu says
October 14, 2021 at 5:00 pm
The impact of the data breach is far beyond imagination. Because the stolen data covers all the data that customers use daily, such as credit card and debit card passwords, residential addresses, and phone numbers. The lowest cost preventive measure is to urge users to change their passwords in time. I agree with what you said that the most important thing the company should do is to help affected customers with any problems while improving and perfecting the company’s defense system.
October 14, 2021 at 4:55 pm
“Sunderland University IT systems down in possible cyberattack”
The University of Sunderland has been hit by an outage that has “all the hallmarks of a cyber attack”. The university takes the security of its systems seriously and is doing its best to address the issue.
Last September, Newcastle University and Northumbria University were targeted by hackers and attacks on educational institutions are set to spike, with online lectures canceled to ensure security.
University campuses prefer to encourage face-to-face learning, as the lecture method circumvents the problems faced with the security of online systems.
For those who learn at a distance, while the risks can be minimized, other risks faced offline can follow. The important thing is to do a good job of online risk avoidance and system security enhancement.
You must be logged in to post a comment.