Equifax was hacked and over half the U.S. Population PII was stolen. This is according to the U.S. censes bureau (https://www.census.gov/popclock/), and also includes those under 18.
So, if you didn’t think your information was on the dark web, it probably is now.
Very interesting post Fred,
This kind of news became very normal lately, but this time is surprising because a this is a very important because it’s one of the largest companies that run our sensitive data. It’s very scary to see a company like Equifax doesn’t invert on securing our data and protect us. They were trusted to have all these information to run our credit reports and they were careless about the security part.
It’s very scary because our sensitive information is everywhere by now
In the News
A term I heard this year at the RSA conference in San Francisco was “Cyber Malpractice”. The speaker stated companies that do not put controls in place to prevent cyber attacks are committing cyber malpractice and their customer’s should hold them accountable if their data is compromised.
A judge ruled this week that did suffer an injury that was traceable to a breach. The case is allowed to move forward to a class action lawsuit. The outcome of the lawsuit will impact the future of cyber malpractice and organization’s due diligence responsibilities.
Really interesting article and the exec’s sold their shares a day after the breached happened?
You would think that a company that store PII for over 100 million people, would have all the security measures in place. Does Equifax have to comply with any standards and/or regulation? I would think these types of companies should be audited by the government.
Yeah, I was also gonna post about Equifax. They’ve really botched the cleanup of this too.
Some bullet’d examples:
– They really botched the execution of actually telling people what website to go check [1]
– The website has a terrible name ( https://www.equifaxsecurity2017.com/ ), which reads in my head as being one of those websites you see during Phishing training
– Checking your “potential impact” brings you to a SECOND site, where you enter your last name and last 6 of your social to check if you’re impacted. Even if you make up a name, the site would tell you that you may have been impacted [2]
– Entering the same info on the website may behave differently based on whether you submitted via a mobile device or a proper computer [3]
– Minor, but: The website is poorly coded, and can’t handle last names with an apostrophe in them (like O’Riley)
– When you submit to check if your data has been compromised, they try to sell you identity theft protection, whether or not they think you were compromised
And I’m just gonna reply to myself here because I failed to finish my point- the whole idea of entering the last SIX on a website is bonkers. Prior to 2011, your Social Security was formed XXX-YY-ZZZZ. XXX is based on where you were born, YY is based on WHEN you were born, and ZZZZ was assigned in ascending order. This means that really, your last four are the only unique parts of your Social. If you know where someone was born and you know their last six, you now know their entire social. If anyone accessed this website and had a keylogger, their social (which may not have been compromised before) would now be compromised.
The actual site has two open ports- 80 and 443, corresponding to HTTP and HTTPS. I don’t have anything ancient enough that I can actually force an HTTP connection, but I’ll try in the next few days to see if the info entered goes out in plaintext.
Following up on my own comment from yesterday- after looking in vain for some way to force an HTTP connection via my web browser, I realized I had a pretty easy way to make and HTTPS negotations fail. I logged into my WAP/router and set up a rule as follows: https://pasteboard.co/GJXF3OC.png
When I went to the trustedidpremier website, I saw many different IP addresses linked to it ( easily viewable in chrome://net-internals/#dns ). Since I don’t have anything critical going on at home, I just blocked the whole 54.192.55.XXX block without seeing who else might own addresses there. Afterwards, I tried to go to http://trustedidpremier.com, and a few minutes later chrome still has a spinning circle indicating that it’s trying to connect.
The whole point of this experiment was to see if the website would allow a plain http connection, where the last name and last six of the SSN might be sent in plaintext. (inspired by seeing that port 80 was open on their servers). It looks like all that the port 80 connection does is forward you to create a port 443 connection (if your router works that is).
Glad to see that someone with an outdated browser that doesn’t prefer https isn’t in danger of accidentally sending their Publicly Identifiable Information out on an unencrypted link (or worse, wireless)
This was also my first thought when I saw the Equifax page to know if you were hit. I would like to know but I’m not about to enter even more information on a website run by a company that I /know/ has bad security and controls. There has to be a better way for them to set this up to know if you were hit without having to trust a company that has already failed so massively.
Yeah, I was also gonna post about Equifax. They’ve really botched the cleanup of this too.
Some bullet’d examples:
– They really botched the execution of actually telling people what website to go check [1]
– The website has a terrible name ( https://www.equifaxsecurity2017.com/ ), which reads in my head as being one of those websites you see during Phishing training
– Checking your “potential impact” brings you to a SECOND site, where you enter your last name and last 6 of your social to check if you’re impacted. Even if you make up a name, the site would tell you that you may have been impacted [2]
– Entering the same info on the website may behave differently based on whether you submitted via a mobile device or a proper computer [3]
– Minor, but: The website is poorly coded, and can’t handle last names with an apostrophe in them (like O’Riley)
– When you submit to check if your data has been compromised, they try to sell you identity theft protection, whether or not they think you were compromised
I came across this article on my friend’s LinkedIn page when I asked him about some techniques to try and learn. He mentioned BitCoin, Blockchain and cryptocurrency. We were talking about investing in to some BitCoin and I looked up blockchain. This article is pretty straightforward and explains it in simple English which is nice. Apply security to it and other technology behind it and blockchain could be useful. https://www.linkedin.com/pulse/blockchain-absolute-beginners-mohit-mamoria
I think blockchain is definitely something that is going to become more and more important as online currencies become more prevalent into the future. It definitely gives the user (us) more control and assurance of our own transactions instead of relying solely on third parties (as explained in the article). You made a good point that it will need more security measures and processes attached to it before it can become completely viable to large scale transactions.
Some companies are accepting bitcoin as currency now and Lamborghini is one of them. The best part of this article is that it breaks it down in simple English and anyone who doesn’t know technology can work with someone who does which is very good.
Neil,
I know I am posting this a few months after your comment, so many organizations and even countries don’t allow the Bitcoin currency to be used. There are so many inconveniences with this currency.
i dont care about those things very much. i read them as news. I more care about something more technical and specific like how to write simple tool to scan port and something more advanced. I guess i am not welcome here 😀
My new article is about Facebook slapped with $1.43 million fine for violating user’s private information and data in Spain. According to the article, it describes that the Spanish Data Protection Agency (AEPD) has issued $1.43 million penalties against Facebook for breaching laws designed to protect its people’s information and confidentiality. Also, it describes that Facebook collects its user’s data without their permission and makes the profit by sharing the data with advertisers and marketers.
18F is “….an office within the General Services Administration (GSA) that collaborates with other agencies to fix technical problems, build products, and improve how government serves the public through technology.”
Together with other agencies, 18F has created Login.gov which is designed to allow people to more easily access government resources online with a single sign on. Think, for example, of someone going through the immigration process. That person would need to login and access multiple agencies and departments (ICE, Dept. Homeland Security, IRS etc). I can only imagine the challenge of building a single authentication mechanism to handle the myriad systems of the federal government. Oh, and it has to be secure too! While the recent Equifax breach and other cyber security headlines have come out recently and remind us of the dangers of storing PII online, this single sign on is likely an inevitable. I applaud this kind of effort and hope we will continue to modernize.
@Fraser, I work full time for the DoD and this is actually the first I’m hearing about login.gov. Given how terrible and opaque some government processes I’ve had to go through have been, there’s definitely a lot of room for improvement. Getting my security clearance, for example, took about a year, three application submissions, and I never knew if I was a day, a month, or a year away from being accepted. I was still able to work in the meantime, so this fog didn’t affect me too much. I’d hate to be facing the same unknowns while waiting to immigrate
My article is about how security researcher, Mark Barnes, was able to find a vulnerability in the Amazon Echo models 2015/2016. Barnes was able to gain root access with the diagnostic pads that were on the bottom of the devices and installed his own software to create a man in the middle with the user and Amazon. The software that was installed was able to use the microphones and relay the audio file to Barne’s laptop. There is a possibility that all refurbished or secondhand Echo’s that were sold were compromised.
I think this will be an issue for those who use a second hand Echo device. I think that some of those Echo devices can be having a modified software which can harm our private lives. Again, The people have to start to new devices especially those are containing software.
This article is about a new ransomware attack that unleashed 23 million emails in 24 hours. This ransomware attack is a new variant to the original Locky ransomware that encrypts a wide variety of files on an infected computer and on other computers on the same network. The email being sent out is very simple as the body says “download it here” including a bogus sender name. The subject line is chosen from a minimal list of words such as pictures, documents, scans and once the attachment is open their files are encrypted and a payment is demanded to unencrypt the files. The current demand is .5 bitcoin which is just over 2300 dollars. With the scale of emails sent out with ransomware in them, it only takes a small amount of people to click on the link and also pay the ransom. Whoever initiated the ransomware attacks can make a couple of million of dollars on a low success rate.
Joseph – Interesting article, this cyberattack was not sophisticated but instead a wholesale attack, hopping that people will fall for it. It’s amazing the amount of people that were affected by the ransomware in such short period. I wonder if there were any organizations that were affected by the ransomware. If yes, was that due to lack of controls in place? Also, how they coped with the attack?
agree this was not sphisticated but more about quantity and not quality. In sales – as now in security such as ransomware emails, sometimes the more you attempt the more chances you have. This was 23 million emails so even 1% success rate has significant damage.
My Article is about “11 Theatrical security measures that don’t make your systems safer”
“The term “Security Theater” was coined to describe the array of security measures at US Airports – taking off shows, patting down children and elderly – that project an image of toughness without making commercial aviation any safer. But the man who came up with the phrase is famous cybersecurity expert Bruce Schneier, and it could just as easily apply to a number of common tech security measures.”
I think many companies are under the illusion that if they have security technologies such as antivirus, IDS/IPS, firewalls, SIEM tools in place, their data is safe from becoming compromised and/or breached. Having these technologies in place is a step in the right direction. However, I think companies do not realize that securing the data is an ongoing effort that consists of more than just installing technology. Companies have to know and understand the data and risk associated. They have to ask the questions, what type of data is in the environment (PII, Financial, etc) and where does the critical data sit? Are we using encryption? Do we have a security awareness program? Are we training users to properly secure and/or remove critical data? Do we understand the risk that affects the organization? The questions can go on and on, but the point is still the same, protecting the data is more than just installing technology.
The article I found discusses a vulnerability in applications using the REST plugin, built with Apache Struts. A research found the vulnerability and Apache released a full patch on 9/5/17. The researchers involved say there is no way to test if a system is vulnerable without exploiting the vulnerability. Exploiting this vulnerability only requires a web browser and allows someone to gain access to the server the application is on, which would then allow them to download or delete data. They believe as many as 65% of fortune 500 companies are affected, as well as many government agencies. They fear there is no way to notify vulnerable organizations other than releasing how the vulnerability works and companies figuring out they need to patch their systems.
The number of affected organizations may seem high but I don’t doubt that this many companies would be affected. Working in IT Audit I think every organization I’ve seen uses Apache in some way.
Thankfully the vulnerability is confined to the REST plugin, which must be specifically applied, so the issue isn’t as widespread as simply having Apache. That said, it’s still extremely prevalent, and often very hard to detect without knowing the application architecture. From personal experience, it is a pain to track down developers who know this info.
According to the this article a security researcher discovered that D-Link DIR 850 L Wireless Ac1200 dual-band cloud routers are vulnerable to 10 security issues.
This article talks about the following: San Francisco becoming the first US city to adopt open source software for voting machines, Open source software being widely accepted in other areas, Open source software benefits of bringing cost down, increased security and transparence, and the drawbacks of Open source software. It will be interesting to see how things unfold with the current plan to implement open sources software for voting machines. Will it be secure? Will people have confidence in the process? Will it reduce cost?
great article. I think now cities or townships are more aware of security breaches after the last presidential election. When you look at how much San Francisco paid their vendor. It only makes sense to do open source software – and save a lot of money. That money used can be used to further secure an open source software. How secure will it be is what remains to be seen.
Global Cyberattack on Energy Sector Stokes Deep Fears
This article talks about the following: Hacker group known as “Dragonfly” has deployed sophisticated attacks on the energy sectors of Europe and North America, Attacks on energy sector is complex but if they do decide to attack it could lead to significant disruption, Researches have not yet determined the motive behind the attacks, Attackers used simple tools to attack the energy sector, and finally the Energy sectors is focusing in countering the attacks. It will be interesting to see how things unfold, as the attackers have not caused any damage yet. How is the energy sector going to cope with the attacks? Will they be able to eliminate or mitigate the risk?
This article talks about the following: U.S authorities arrested a British cyber-researcher credited with stopping the spread of the WannaCry ransomware, British cyber-researcher developed the “Kronos” malware prior to stopping the spread of WannaCry, and finally the British cyber-researcher is awaiting trial. It will be interesting to see how things trail unfolds.
This is the latest in terms of ransomware that has started to make an impact on the world. This could be something a lot more severe than what we are used to seeing with the current ransomware scams. All should be alert with this one because this could potentially be severe.
Karim Baratov, a 22-year-old Kazakhstan-borm Canadian citizen has pleaded guilty to hacking charges over his involvement massive 2014 Yahoo data breach that affected over three billion Yahoo accounts.
In March, the US Justice Department charged two Russians which are Dmitry Dokuchaev and Igor Sushichim and two other hackers which are Alexsey Belan and Karim Baratov for breaking Yahoo servers in 2014.
Karim was arrested in Toronto at his Ancaster home by the Toronto Police Department in March this year, the other three suspects are still in Russia, unlikely to be extradited.
Last Tuesday, Baratov admitted to helping the Russian spies and pleaded guilty to a total of nine counts in San Francisco as following:
– One count of conspiring to violate the computer Fraud and abuse Act by stealing information from protected computers and causing damage to protected computers.
– Eight counts of aggravated identity theft.
Besides any prison sentence, Baratov has also agreed to pay compensation to the Yahoo victims and a fine up to $2,250,000 (at $250,000 per count).
Great article Younis. I think moving forward there will be more hackers getting caught and convicted. And part of it will be big punishments. Imagine if a person gets arrested and than reduce their sentences by copperating and testifying against larger criminals. This will happen in security world and look at the punishment this guy received.
Fred Zajac says
In the news…
https://www.cnbc.com/video/2017/09/08/equifax-data-breach-exposes-143-million-americans.html
Equifax was hacked and over half the U.S. Population PII was stolen. This is according to the U.S. censes bureau (https://www.census.gov/popclock/), and also includes those under 18.
So, if you didn’t think your information was on the dark web, it probably is now.
On a side note, Equifax top executives, including the CFO sold stock days after the breach, but before the breach became public. The executives claim they didn’t know about the breach.
https://www.cnbc.com/video/2017/09/08/equifax-execs-sold-2m-worth-of-shares-after-cyberattack.html
Younes Khantouri says
Very interesting post Fred,
This kind of news became very normal lately, but this time is surprising because a this is a very important because it’s one of the largest companies that run our sensitive data. It’s very scary to see a company like Equifax doesn’t invert on securing our data and protect us. They were trusted to have all these information to run our credit reports and they were careless about the security part.
It’s very scary because our sensitive information is everywhere by now
Christie L Vazquez says
In the News
A term I heard this year at the RSA conference in San Francisco was “Cyber Malpractice”. The speaker stated companies that do not put controls in place to prevent cyber attacks are committing cyber malpractice and their customer’s should hold them accountable if their data is compromised.
A judge ruled this week that did suffer an injury that was traceable to a breach. The case is allowed to move forward to a class action lawsuit. The outcome of the lawsuit will impact the future of cyber malpractice and organization’s due diligence responsibilities.
https://www.darkreading.com/application-security/judge-rules-that-yahoo-breach-victims-can-sue-/d/d-id/1329798?
Andres Galarza says
Christie,
You raise an interesting issue in light of the news regarding Equifax.
https://www.bloomberg.com/news/articles/2017-09-08/equifax-sued-over-massive-hack-in-multibillion-dollar-lawsuit
I’ll be interested to see what punishment (if any) Equifax and its management face.
Sheena L. Thomas says
Really interesting article and the exec’s sold their shares a day after the breached happened?
You would think that a company that store PII for over 100 million people, would have all the security measures in place. Does Equifax have to comply with any standards and/or regulation? I would think these types of companies should be audited by the government.
Neil Y. Rushi says
I read the full news on this today and there is a website they setup if you want to see if you are affected by this hack or not. http://www.msn.com/en-us/news/technology/massive-equifax-data-breach-may-impact-half-of-us-population/ar-AArtE40?li=AA4Zoy&ocid=ientp – they have the link to it. Since Equifax is one of the largest firms out there for credit monitoring, it’s better to find out now whether you’re hit or not.
Ian Riley says
Yeah, I was also gonna post about Equifax. They’ve really botched the cleanup of this too.
Some bullet’d examples:
– They really botched the execution of actually telling people what website to go check [1]
– The website has a terrible name ( https://www.equifaxsecurity2017.com/ ), which reads in my head as being one of those websites you see during Phishing training
– Checking your “potential impact” brings you to a SECOND site, where you enter your last name and last 6 of your social to check if you’re impacted. Even if you make up a name, the site would tell you that you may have been impacted [2]
– Entering the same info on the website may behave differently based on whether you submitted via a mobile device or a proper computer [3]
– Minor, but: The website is poorly coded, and can’t handle last names with an apostrophe in them (like O’Riley)
– When you submit to check if your data has been compromised, they try to sell you identity theft protection, whether or not they think you were compromised
[1] https://twitter.com/notdan/status/905949502925750273
[2] https://twitter.com/briankrebs/status/905997993702252544
[3] https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-fire/
Ian Riley says
And I’m just gonna reply to myself here because I failed to finish my point- the whole idea of entering the last SIX on a website is bonkers. Prior to 2011, your Social Security was formed XXX-YY-ZZZZ. XXX is based on where you were born, YY is based on WHEN you were born, and ZZZZ was assigned in ascending order. This means that really, your last four are the only unique parts of your Social. If you know where someone was born and you know their last six, you now know their entire social. If anyone accessed this website and had a keylogger, their social (which may not have been compromised before) would now be compromised.
The actual site has two open ports- 80 and 443, corresponding to HTTP and HTTPS. I don’t have anything ancient enough that I can actually force an HTTP connection, but I’ll try in the next few days to see if the info entered goes out in plaintext.
Ian Riley says
Following up on my own comment from yesterday- after looking in vain for some way to force an HTTP connection via my web browser, I realized I had a pretty easy way to make and HTTPS negotations fail. I logged into my WAP/router and set up a rule as follows:
https://pasteboard.co/GJXF3OC.png
When I went to the trustedidpremier website, I saw many different IP addresses linked to it ( easily viewable in chrome://net-internals/#dns ). Since I don’t have anything critical going on at home, I just blocked the whole 54.192.55.XXX block without seeing who else might own addresses there. Afterwards, I tried to go to http://trustedidpremier.com, and a few minutes later chrome still has a spinning circle indicating that it’s trying to connect.
The whole point of this experiment was to see if the website would allow a plain http connection, where the last name and last six of the SSN might be sent in plaintext. (inspired by seeing that port 80 was open on their servers). It looks like all that the port 80 connection does is forward you to create a port 443 connection (if your router works that is).
Glad to see that someone with an outdated browser that doesn’t prefer https isn’t in danger of accidentally sending their Publicly Identifiable Information out on an unencrypted link (or worse, wireless)
Amanda M Rossetti says
This was also my first thought when I saw the Equifax page to know if you were hit. I would like to know but I’m not about to enter even more information on a website run by a company that I /know/ has bad security and controls. There has to be a better way for them to set this up to know if you were hit without having to trust a company that has already failed so massively.
Ian Riley says
Yeah, I was also gonna post about Equifax. They’ve really botched the cleanup of this too.
Some bullet’d examples:
– They really botched the execution of actually telling people what website to go check [1]
– The website has a terrible name ( https://www.equifaxsecurity2017.com/ ), which reads in my head as being one of those websites you see during Phishing training
– Checking your “potential impact” brings you to a SECOND site, where you enter your last name and last 6 of your social to check if you’re impacted. Even if you make up a name, the site would tell you that you may have been impacted [2]
– Entering the same info on the website may behave differently based on whether you submitted via a mobile device or a proper computer [3]
– Minor, but: The website is poorly coded, and can’t handle last names with an apostrophe in them (like O’Riley)
– When you submit to check if your data has been compromised, they try to sell you identity theft protection, whether or not they think you were compromised
[1] https://twitter.com/notdan/status/905949502925750273
[2] https://twitter.com/briankrebs/status/905997993702252544
[3] https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-fire/
Neil Y. Rushi says
I came across this article on my friend’s LinkedIn page when I asked him about some techniques to try and learn. He mentioned BitCoin, Blockchain and cryptocurrency. We were talking about investing in to some BitCoin and I looked up blockchain. This article is pretty straightforward and explains it in simple English which is nice. Apply security to it and other technology behind it and blockchain could be useful. https://www.linkedin.com/pulse/blockchain-absolute-beginners-mohit-mamoria
Matt Roberts says
I think blockchain is definitely something that is going to become more and more important as online currencies become more prevalent into the future. It definitely gives the user (us) more control and assurance of our own transactions instead of relying solely on third parties (as explained in the article). You made a good point that it will need more security measures and processes attached to it before it can become completely viable to large scale transactions.
Neil Y. Rushi says
Some companies are accepting bitcoin as currency now and Lamborghini is one of them. The best part of this article is that it breaks it down in simple English and anyone who doesn’t know technology can work with someone who does which is very good.
Younes Khantouri says
Neil,
I know I am posting this a few months after your comment, so many organizations and even countries don’t allow the Bitcoin currency to be used. There are so many inconveniences with this currency.
Ronghui Zhan says
i dont care about those things very much. i read them as news. I more care about something more technical and specific like how to write simple tool to scan port and something more advanced. I guess i am not welcome here 😀
Shi Yu Dong says
My new article is about Facebook slapped with $1.43 million fine for violating user’s private information and data in Spain. According to the article, it describes that the Spanish Data Protection Agency (AEPD) has issued $1.43 million penalties against Facebook for breaching laws designed to protect its people’s information and confidentiality. Also, it describes that Facebook collects its user’s data without their permission and makes the profit by sharing the data with advertisers and marketers.
http://thehackernews.com/2017/09/facebook-privacy.html
Fraser G says
My article is a press release: https://18f.gsa.gov/2017/08/22/government-launches-login-gov/
18F is “….an office within the General Services Administration (GSA) that collaborates with other agencies to fix technical problems, build products, and improve how government serves the public through technology.”
Together with other agencies, 18F has created Login.gov which is designed to allow people to more easily access government resources online with a single sign on. Think, for example, of someone going through the immigration process. That person would need to login and access multiple agencies and departments (ICE, Dept. Homeland Security, IRS etc). I can only imagine the challenge of building a single authentication mechanism to handle the myriad systems of the federal government. Oh, and it has to be secure too! While the recent Equifax breach and other cyber security headlines have come out recently and remind us of the dangers of storing PII online, this single sign on is likely an inevitable. I applaud this kind of effort and hope we will continue to modernize.
Ian Riley says
@Fraser, I work full time for the DoD and this is actually the first I’m hearing about login.gov. Given how terrible and opaque some government processes I’ve had to go through have been, there’s definitely a lot of room for improvement. Getting my security clearance, for example, took about a year, three application submissions, and I never knew if I was a day, a month, or a year away from being accepted. I was still able to work in the meantime, so this fog didn’t affect me too much. I’d hate to be facing the same unknowns while waiting to immigrate
Richard Mu says
My article is about how security researcher, Mark Barnes, was able to find a vulnerability in the Amazon Echo models 2015/2016. Barnes was able to gain root access with the diagnostic pads that were on the bottom of the devices and installed his own software to create a man in the middle with the user and Amazon. The software that was installed was able to use the microphones and relay the audio file to Barne’s laptop. There is a possibility that all refurbished or secondhand Echo’s that were sold were compromised.
Article: https://www.forbes.com/sites/jaymcgregor/2017/09/07/listening-in-on-a-hacked-amazon-echo-is-terrifying/#533eca5e5c7f
Younes Khantouri says
Richard,
I think this will be an issue for those who use a second hand Echo device. I think that some of those Echo devices can be having a modified software which can harm our private lives. Again, The people have to start to new devices especially those are containing software.
Very interesting topic Richard, thank you.
Joseph Feldman says
This article is about a new ransomware attack that unleashed 23 million emails in 24 hours. This ransomware attack is a new variant to the original Locky ransomware that encrypts a wide variety of files on an infected computer and on other computers on the same network. The email being sent out is very simple as the body says “download it here” including a bogus sender name. The subject line is chosen from a minimal list of words such as pictures, documents, scans and once the attachment is open their files are encrypted and a payment is demanded to unencrypt the files. The current demand is .5 bitcoin which is just over 2300 dollars. With the scale of emails sent out with ransomware in them, it only takes a small amount of people to click on the link and also pay the ransom. Whoever initiated the ransomware attacks can make a couple of million of dollars on a low success rate.
https://www.forbes.com/sites/leemathews/2017/08/31/massive-ransomware-attack-unleashes-23-million-emails-in-24-hours/#676ce9f0394b
Donald Hoxhaj says
Joseph – Interesting article, this cyberattack was not sophisticated but instead a wholesale attack, hopping that people will fall for it. It’s amazing the amount of people that were affected by the ransomware in such short period. I wonder if there were any organizations that were affected by the ransomware. If yes, was that due to lack of controls in place? Also, how they coped with the attack?
Sachin Shah says
agree this was not sphisticated but more about quantity and not quality. In sales – as now in security such as ransomware emails, sometimes the more you attempt the more chances you have. This was 23 million emails so even 1% success rate has significant damage.
Sheena L. Thomas says
My Article is about “11 Theatrical security measures that don’t make your systems safer”
“The term “Security Theater” was coined to describe the array of security measures at US Airports – taking off shows, patting down children and elderly – that project an image of toughness without making commercial aviation any safer. But the man who came up with the phrase is famous cybersecurity expert Bruce Schneier, and it could just as easily apply to a number of common tech security measures.”
By Josh Fruhlinger, CSO
https://www.csoonline.com/article/3078052/security/just-for-show-11-theatrical-security-measures-that-dont-make-your-systems-safer.html?token=%23tk.CSONLE_nlt_cso_update_2016-06-13&idg_eid=69577b3f1c9ff0be1e737d6f12fa4c7f&utm_source=Sailthru&utm_medium=email&utm_campaign=New%20Campaign%202016-06-13&utm_term=cso_update#slide1
I think many companies are under the illusion that if they have security technologies such as antivirus, IDS/IPS, firewalls, SIEM tools in place, their data is safe from becoming compromised and/or breached. Having these technologies in place is a step in the right direction. However, I think companies do not realize that securing the data is an ongoing effort that consists of more than just installing technology. Companies have to know and understand the data and risk associated. They have to ask the questions, what type of data is in the environment (PII, Financial, etc) and where does the critical data sit? Are we using encryption? Do we have a security awareness program? Are we training users to properly secure and/or remove critical data? Do we understand the risk that affects the organization? The questions can go on and on, but the point is still the same, protecting the data is more than just installing technology.
Amanda M Rossetti says
http://www.zdnet.com/article/critical-security-bug-threatens-fortune-100-companies/
The article I found discusses a vulnerability in applications using the REST plugin, built with Apache Struts. A research found the vulnerability and Apache released a full patch on 9/5/17. The researchers involved say there is no way to test if a system is vulnerable without exploiting the vulnerability. Exploiting this vulnerability only requires a web browser and allows someone to gain access to the server the application is on, which would then allow them to download or delete data. They believe as many as 65% of fortune 500 companies are affected, as well as many government agencies. They fear there is no way to notify vulnerable organizations other than releasing how the vulnerability works and companies figuring out they need to patch their systems.
The number of affected organizations may seem high but I don’t doubt that this many companies would be affected. Working in IT Audit I think every organization I’ve seen uses Apache in some way.
Kevin Blankenship says
Thankfully the vulnerability is confined to the REST plugin, which must be specifically applied, so the issue isn’t as widespread as simply having Apache. That said, it’s still extremely prevalent, and often very hard to detect without knowing the application architecture. From personal experience, it is a pain to track down developers who know this info.
Mohammed Syed says
According to the this article a security researcher discovered that D-Link DIR 850 L Wireless Ac1200 dual-band cloud routers are vulnerable to 10 security issues.
http://thehackernews.com/2017/09/d-link-router-hacking.html
Donald Hoxhaj says
http://www.technewsworld.com/story/84794.html
US Elections: Open Source vs Commercial Software
This article talks about the following: San Francisco becoming the first US city to adopt open source software for voting machines, Open source software being widely accepted in other areas, Open source software benefits of bringing cost down, increased security and transparence, and the drawbacks of Open source software. It will be interesting to see how things unfold with the current plan to implement open sources software for voting machines. Will it be secure? Will people have confidence in the process? Will it reduce cost?
Sachin Shah says
great article. I think now cities or townships are more aware of security breaches after the last presidential election. When you look at how much San Francisco paid their vendor. It only makes sense to do open source software – and save a lot of money. That money used can be used to further secure an open source software. How secure will it be is what remains to be seen.
Donald Hoxhaj says
http://www.technewsworld.com/story/84790.html
Global Cyberattack on Energy Sector Stokes Deep Fears
This article talks about the following: Hacker group known as “Dragonfly” has deployed sophisticated attacks on the energy sectors of Europe and North America, Attacks on energy sector is complex but if they do decide to attack it could lead to significant disruption, Researches have not yet determined the motive behind the attacks, Attackers used simple tools to attack the energy sector, and finally the Energy sectors is focusing in countering the attacks. It will be interesting to see how things unfold, as the attackers have not caused any damage yet. How is the energy sector going to cope with the attacks? Will they be able to eliminate or mitigate the risk?
Donald Hoxhaj says
http://www.technewsworld.com/story/84728.html
Cry Hero Arrested on Kronos Malware Charges
This article talks about the following: U.S authorities arrested a British cyber-researcher credited with stopping the spread of the WannaCry ransomware, British cyber-researcher developed the “Kronos” malware prior to stopping the spread of WannaCry, and finally the British cyber-researcher is awaiting trial. It will be interesting to see how things trail unfolds.
Brent Hladik says
https://thehackernews.com/2017/10/bad-rabbit-ransomware-attack.html
This is the latest in terms of ransomware that has started to make an impact on the world. This could be something a lot more severe than what we are used to seeing with the current ransomware scams. All should be alert with this one because this could potentially be severe.
Younes Khantouri says
22-Year-Old Hacker Pleads Guilty to 2014 Yahoo Hack, Admits Helping Russian Intelligence
Karim Baratov, a 22-year-old Kazakhstan-borm Canadian citizen has pleaded guilty to hacking charges over his involvement massive 2014 Yahoo data breach that affected over three billion Yahoo accounts.
In March, the US Justice Department charged two Russians which are Dmitry Dokuchaev and Igor Sushichim and two other hackers which are Alexsey Belan and Karim Baratov for breaking Yahoo servers in 2014.
Karim was arrested in Toronto at his Ancaster home by the Toronto Police Department in March this year, the other three suspects are still in Russia, unlikely to be extradited.
Last Tuesday, Baratov admitted to helping the Russian spies and pleaded guilty to a total of nine counts in San Francisco as following:
– One count of conspiring to violate the computer Fraud and abuse Act by stealing information from protected computers and causing damage to protected computers.
– Eight counts of aggravated identity theft.
Besides any prison sentence, Baratov has also agreed to pay compensation to the Yahoo victims and a fine up to $2,250,000 (at $250,000 per count).
https://thehackernews.com/2017/11/yahoo-email-hacker.html/
Sachin Shah says
Great article Younis. I think moving forward there will be more hackers getting caught and convicted. And part of it will be big punishments. Imagine if a person gets arrested and than reduce their sentences by copperating and testifying against larger criminals. This will happen in security world and look at the punishment this guy received.