Every year cyber criminals devise new high profile and sophisticated attacks against organizations worldwide. 2017 is no exception: from complex ransomware attacks to large data breaches, it is obvious this year’s cyber-attacks have caused major damage. Below you will find the most prominent cyber security news so far and the lessons they’ve left behind.
On Friday, May 12 2017 a large scale cyber-attack known as “WannaCry” was launched targeting more than 230,000 computers in 150 countries affecting Britain’s National Health Service (NHS), FedEx, LATAM Airlines and other important companies around the world.This is certainly not the last time we’ll hear about this cyber-attack, here’s what you need to know…
Regardless of their politics, the recent news of the DNC server hack, allegedly by Russian-government-backed hackers, should have security teams pulling their hair out. Why? Because the first phase of the attack used one of the oldest tricks in the book -- a phishing email attack, leveraging a copycat domain.
"For example, the first group, APT 28, often uses the same tactic: registering a domain whose name is similar to that of its target, to trick users into disclosing their passwords when logging into the wrong site. In this case, hackers set up misdepatrment.com — switching two letters — to target users of MIS Department, which manages networks for the Democratic committee." NY TImes, July 27, 2016
It should be no surprise to learn that almost every devastating cyber breach, from Target to the DNC, starts with the same exploit:
During my morning news scan, I came across some interesting articles surrounding the recent Hell Tor deep web cybercrime forum. And in particular, discussion about the associated text file that contained more than 23,000 records that “appeared” to be a user database populated exclusively by user accounts with dot-gov email from the Office of Personnel Management (OPM). After a close review of the file, experts stated that these records -- made available as a teaser and/or as “proof” that the hackers had compromised the agency -- were not from the OPM, instead they were a list of users stolen from a different government agency — Unicor.gov, also known as Federal Prison Industries.
Just a month ago, I wrote about an emerging critical cyber threat trend -- attacks centered on health care providers and health insurance systems. These schemes are very lucrative for thieves because the loot, electonic health records, contains everything needed -- social security numbers, known addresses, phone numbers, relatives, payment preferences -- to create duplicate identities for individuals. Just add the photo.
Earlier this month we were all informed that the Heartbleed bug which affected versions of OpenSSL, a widely used data encryption standard had potentially compromised our personal information. Around the world the response was the same “change your password”. Seems like a simple enough solution, but if you are using an unsecure password changing it will not protect you for long. In addition if you did not wait for each website to patch their OpenSSL before changing your passwords, then your new passwords may have already been compromised too.
Earlier last week Jody Westby wrote a very insightful article for Forbes highlighting the lack of experience and expertise from most board members and CEOs when dealing with serious cyber risks. A great point is made when she remarks that “they [CEOs and board members] are beginning to realize that there are best practices for cyber governance, and this involves more than asking interesting questions now and then or accommodating an annual ten-minute IT report on the board agenda”.
A couple of days ago I filed a Notice of False profile with LinkedIn (operator of a professional networking site with 259 million members) because a fake member account had been set up involving one of my financial clients. The perpetrator’s profile indicated that “she” was a company branch manager, and she was sending out LinkedIn invites to her “co-workers” at the financial institution. The profile should have screamed “a fake” to experienced users of the site. Some tell-tale signs were that the profile was bare bones, with only my client listed as an employer (along with the presence of the company logo), and the image of the individual on the page looked like a robot. I received a quick response back from LinkedIn saying they HAD begun processing the complaint, but that it may take some time to process. Last week the news was full of articles stating that LinkedIn had sued hackers over the creation of thousands of fake accounts. The hackers’ objective was to tap into legitimate member profiles (which they did at apparently a rate of hundreds of thousands of profiles each day) where they could glean a plethora of personal information. At this point the identity of the hackers is unknown, and subpoenas are being served on Amazon Web Services, the cloud platform used to create the fake accounts, in an attempt to unmask them.
The scheme was explained in an article published by Bloomberg on January 7th which stated “hackers using automated software created thousands of fake member accounts and copied data from actual member profile pages.” The article goes on to say “the practice, known as data “scraping,” violates LinkedIn’s user agreements and federal and state computer fraud laws, the company said in a complaint filed yesterday against the unknown hackers in federal court in San Francisco. It has also strained and disrupted the company’s network computers and threatens to degrade the value of LinkedIn Recruiter, a fee-based service used by Fortune 100 companies that’s one of the company’s fastest-growing offerings, according to the complaint”.