Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for September 2019

Alderman Censured for Not Completing Cybersecurity Training

Alderman Censured for Not Completing Cybersecurity Training

An alderman in the Tennessee city of Germantown has been censured for not completing a 45-minute cybersecurity training course.

Dean Massey received the official rebuke from his fellow aldermen at a heated two-hour meeting of the administration, which took place last night. The censure, which was passed on a 3-2 vote, stipulates that Massey must complete the cybersecurity training by September 27, 2019.

Authored by Alderman Rocky Janda, the censure states: "Alderman Dean Massey willfully and intentionally placed and continues to place the City of Germantown at risk of a cybersecurity breach by refusing to take reasonable training measures to prevent online security attacks."

Massey and another alderman had their city email accounts restricted earlier this month after missing the deadline to complete the cybersecurity course, which Massey told Infosecurity Magazine was not designated as mandatory.

Instead of completing the training to regain access to his email account, Massey elected to create an alternative Gmail account through which to carry out official city business.

Describing what happened next, Massey told Infosecurity Magazine: "I never opposed or refused to take cyber-training. I requested that the IT director schedule time to publicly discuss cybersecurity and training with the Board of Mayor and Aldermen, but rather than simply honoring my request and acting in the public's interest, the administration went into cover-up mode and replaced my request for public discussion about cybersecurity policies with another alderman's request to censure me."

Official censures are typically reserved for conflicts of interest, misuse of public funds, and cases of sexual harassment. 

Massey said that last night's meeting "should have been a meeting about the mayor's lack of a cyber policy" and described the censure as "completely self-serving and a total waste and abuse of taxpayer resources."  

He said: "The administration has never implemented a cybersecurity policy and has failed to discuss the threats with aldermen for decades."

Since news of the restriction placed on Massey's city email account got out, the alderman has received what he describes as "harassing email and comments on social media." 

One such comment, which Massey shared on the Facebook page Massey for Germantown, read "F**k you, you entitled pr*ck. Take the training. Oooh, you don't trust the IT department? You're an ignorant a**hole."

Massey feels that the actions of Germantown officials have put the lives of his family at risk. 

He wrote on Facebook: "By ginning up unwarranted hatred for me through the government-sanctioned smear campaign, members of the administration made my family a target and put the lives of my wife and young son in danger."

In an email sent to Massey on September 20 and shown to Infosecurity Magazine, Vice Mayor Mary Anne Gibson wrote, "As a parent, I often reminded my children that actions have consequences," before describing the media attention Massey as received as "a circus of your own creation."

Source: Information Security Magazine

Malware Attack Prompts US Transport Authority to Axe Online Store

Malware Attack Prompts US Transport Authority to Axe Online Store

An American transport authority has responded to a malware attack by permanently closing its online store.

The Southeastern Pennsylvania Transport Authority (SEPTA) shuttered the site within an hour of discovering that the personal data of 761 customers had been stolen in a data-skimming Magecart attack. 

Hackers were able to steal shoppers' credit card numbers, names, and addresses during an online crime spree thought to have begun on June 21 and ended on July 16. The store, which sold online travel tickets along with SEPTA-branded mugs and clothing, was hosted by Amazon Web Services. 

SEPTA was alerted to the attack on July 16 by a user who received a malware warning while browsing the online store. However, the transport authority waited until September 5 to inform customers affected by the attack by letter that a breach had taken place. 

Asked what had caused the two-month time lag, SEPTA spokesperson Andrew Busch told Infosecurity Magazine: "Customers were notified as soon as SEPTA was confident that it had gathered accurate information regarding the individuals who were affected. SEPTA followed proper reporting protocols as soon as the breach was discovered by notifying the FBI and the Pennsylvania Department of Transportation."

The revelation that the online store had been permanently closed in an effort to prevent any future malware attacks only came to light on September 19 when it was reported by The Philadelphia Inquirer.

Explaining SEPTA's arguably extreme approach to cybersecurity, Busch told Infosecurity Magazine: "The primary reason for shutting it down was to eliminate the potential for any additional customer information to be compromised. 

"In addition, the site was mostly used for purchases of fare products that have or are being phased out with SEPTA’s modernized fare system, the SEPTA Key, and in general it was not widely used. The SEPTA Key has a separate e-commerce site, and that site was not breached."

Busch confirmed that SEPTA has not suffered any further attacks since closing its online store, whose quiet death failed to arouse much notice. 

Describing the impact of SEPTA's decision to axe the store, Busch said: "There has not been a significant amount of customer feedback."

Source: Information Security Magazine

27 Countries Sign Pledge to Play Nice Online

27 Countries Sign Pledge to Play Nice Online

Countries around the world have joined forces to declare that they are fed up with the lawless state of cyberspace. 

As the newest frontier to be riddled with humanity, it's perhaps no surprise that while cyberspace has brought with it some positives like the promotion of free expression, it has also given rise to behavior that goes way beyond bad. 

Spiraling cybercrime, some of it sponsored by states themselves, is costing the global economy $2.9m per minute, and digital espionage is going on left, right, and center. 

In a joint statement published yesterday at the United Nations, 27 countries pledged their support to clean up an arena that has become the digital equivalent of the old Wild West. 

The statement, which was affirmed by Australia, Belgium, Canada, Colombia, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Hungary, Iceland, Italy, Japan, Latvia, Lithuania, the Netherlands, New Zealand, Norway, Poland, the Republic of Korea, Romania, Slovakia, Spain, Sweden, the United Kingdom, and the United States, declared: "State and non-state actors are using cyberspace increasingly as a platform for irresponsible behavior from which to target critical infrastructure and our citizens, undermine democracies and international institutions and organizations, and undercut fair competition in our global economy by stealing ideas when they cannot create them."

Signatories called for nations to act online in accordance with international laws reflecting the voluntary norms of responsible state behavior in peacetime, before stating that "there must be consequences for bad behavior in cyberspace."

The countries said that they would work together to hold states accountable for their digital misdeeds. No specific countries were named and shamed in the statement; however, the digs about undermining democracies could be construed as a reference to Russia, which has been accused of meddling in elections in the US, the Ukraine, and France.  

"The recently issued statement still does not clarify how and when attribution can be effectively used in cyberspace," Isidoros Monogioudis, senior security architect at Digital Shadows, commented to Infosecurity Magazine. "Furthermore, some topics are still in the negotiation phase, so the concept of 'responsible state behavior' is still not fully defined. This might ultimately create challenges."

Noting which countries had not signed the statement, Chris Morales, head of security analytics at Vectra, told Infosecurity Magazine: "This is a document that doesn’t include the most cyber-capable countries, such as Russia, China, and Iran, who are constantly engaged in cyber-warfare. Frankly, I’m not sure what impact, if any, this will have."

Source: Information Security Magazine

Hundreds of US Schools Hit by Ransomware in 2019

Hundreds of US Schools Hit by Ransomware in 2019

Ransomware attacks have disrupted operations at 49 US school districts and educational institutions, making the sector the second most popular for attackers after local government municipalities, according to Armor.

The cloud security vendor analyzed publicly reported attacks since January 2019 to better understand the scale of the threat facing the education industry.

It claimed that attacks may have compromised as many as 500 K-12 schools in the first nine months of 2019, versus just 11 last year.

In a little over a week in mid-September, nine new school districts and one college were hit, affecting around 100 K-12 schools, the firm said.

Crowder College, which reported an attack on September 11, claimed the ransom was a massive $1.6m, the first $1m+ demand since Monroe College in New York was hit with a $2m ransom note in July.

According to the school, there’s evidence that hackers had been inside the Crowder College IT systems since November last year. This would make sense if it was one of the five targets hit by Ryuk ransomware this year, as these infections are typically preceded by Emotet or Trickbot trojans, which often lay the groundwork for the ransomware.

Connecticut has the dubious honor of being the state with the most number of compromised school districts, with seven hit, covering 104 schools.

It’s unclear whether the rash of attacks over recent weeks was designed to cause maximum disruption during the busy back-to-school period.

“Educational institutions, municipalities and other organizations whose infrastructure is critical to their communities host a variety of data, most of which is sensitive,” said Chris Hinkley, head of threat resistance at Armor.

“Cyber-criminals know these organizations can’t afford to shut down, they are often using out-of-date hardware and software, and they have few security measures in place. This is a deadly combination in the case of a ransomware attack, which provides for a high sense of urgency and a high probability of large payments.”

Source: Information Security Magazine

North Korean Malware Attacks ATMs and Banks

North Korean Malware Attacks ATMs and Banks

The infamous Lazarus Group is behind new malware discovered targeting ATMs and back-office systems in Indian banks and research centers, according to Kaspersky.

The Russian AV vendor claimed in a new report that it discovered the ATMDtrack malware back in late summer 2018. It is designed to sit on targeted ATMs and effectively skim the details of cards as they are inserted into the machine.

However, digging a little deeper, the researchers found another 180+ new malware samples similar to ATMDtrack but which were not designed to target ATMs.

Collectively, these Dtrack malware tools seem to be focused on information theft and eavesdropping, via functionality such as: keylogging; retrieving browser history; gathering host IP addresses and network info; and listing all running processes and files.

The dropper also contained a remote access trojan (RAT) to give attackers complete control over a victim’s machine.

Kaspersky claimed the Dtrack malware shares similarities with the DarkSeoul campaign of 2013, also linked to North Korea’s Lazarus Group, which disrupted computers at a South Korean bank and three TV stations, as well as countless ATMs.

“We first saw early samples of this malware family in 2013, when it hit Seoul. Now, six years later, we see them in India, attacking financial institutions and research centers,” noted the report. “And once again, we see that this group uses similar tools to perform both financially motivated and pure espionage attacks.”

However, Dtrack attackers would need to take advantage of weak network security policies, weak password policies, and a lack of traffic monitoring. So by addressing these issues and putting in place reputable AV featuring behavior-based tools, as well as regular security training and IT audits, organizations could repel the threat, said Kaspersky.

“The vast amount of Dtrack samples we found demonstrate how Lazarus is one of the most active APT groups, constantly developing and evolving threats in a bid to affect large-scale industries. Their successful execution of Dtrack RAT proves that even when a threat seems to disappear, it can be resurrected in a different guise to attack new targets,” said Kaspersky security researcher, Konstantin Zykov.

“Even if you are a research center, or a financial organization that operates solely in the commercial sector with no government affiliates, you should still consider the possibility of being attacked by a sophisticated threat actor in your threat model and prepare respectively.”

Source: Information Security Magazine

Ransomware Attack Disrupts Wyoming Health Services

Ransomware Attack Disrupts Wyoming Health Services

Healthcare in Wyoming has been seriously disrupted after a ransomware attack brought down the computer systems of Campbell County Health.

Campbell County Health (CCH), which is based in Gillette, includes Campbell County Memorial Hospital, a 90-bed acute-care community hospital; Campbell County Medical Group, with nearly 20 clinics; The Legacy Living & Rehabilitation Center long-term care center; and the Powder River Surgery Center. 

All of CCH's 1500 computers and its email server were affected by the attack, which took place on Friday morning, September 20. As a result, surgeries have been canceled, and new inpatient admissions have ceased. 

All of today's appointments in the cancer center's radiation oncology department were canceled, and no outpatient lab, respiratory therapy, blood draws, or radiology exams or procedures are being carried out.

The attack prompted the hospital to go "on full divert," meaning patients arriving at the emergency room or walk-in clinic are triaged then transferred to an alternative care facility, if needed.

Other hospitals in the region have been informed of the situation and are working with CCH to provide urgent care, although two of them, Casper and Rapid City, were already full when news of the attack broke. 

press release issued by CCH on Friday afternoon stated: "Campbell County Health has been the victim of a ransomware attack. All CCH computer systems have been affected, which impacts the organization’s ability to provide patient care.

"The appropriate authorities have been notified, and efforts are underway to restore the affected systems. Information on CCH services will be updated as soon as information becomes available."

CCH said that the attack had not compromised any patient data.

A CCH spokesperson said on Friday: "At this point in time, there is no evidence that any patient data has been accessed or misused. The investigation is ongoing, and we will provide updates when more information becomes available. We are working diligently to restore complete access to our services."

As of Sunday, Campbell County Memorial Health's maternal child department had begun accepting patients again on a case-by-case basis. It is not yet clear when CCH services will be back to normal. 

A CCH spokesperson said: "We are collaborating with the local, state, and federal authorities to address this unfortunate incident securely and as quickly as we can. We are very thankful for the local support from the City of Gillette, Campbell County Commissioners, [and] Campbell County Emergency Management."

Source: Information Security Magazine

Most CISOs Believe They're on Track to Become CEOs

Most CISOs Believe They're on Track to Become CEOs

The role of chief information security officer (CISO) is being treated with newfound respect, according to research by a security solutions integrator.

Optiv Security's State of the CISO survey questioned 100 CISOs in the US and 100 CISOs in the UK to discover how the role is currently perceived within the traditional business hierarchy. 

The results, published today, show that 96% of respondents think that senior executives have a better understanding of cybersecurity than they did five years ago, and 67% said the business they worked for prioritized cybersecurity above all other business considerations. 

Interestingly, 58% of CISOs reported that their job prospects had improved after they experienced a data breach. In fact, most respondents thought that the career path of a CISO was today more illustrious than ever. 

Of the CISOs surveyed, 76% felt that cybersecurity risk was now so important to businesses that CISOs would start being promoted to the role of CEO. Not bad for a relatively new role in the corporate executive hierarchy.

"The Chief Information Security Officer has traditionally reported to the CIO because the job has been regarded as primarily technical. However, the current epidemic of breaches coupled with privacy regulations like the GDPR and CCPA has made cybersecurity a tier-1 business risk," wrote researchers for Optiv. 

According to Optiv’s practice director of risk management & transformation, Mark Adams, CISOs have many qualities that would make them great in the role of CEO. He said: "The CISO exhibits a mastery of negotiation by actively listening and applying the disciplines of consensus-building among his peers and subordinates. The effective CISO thinks more strategically than tactically, planning for the long term and what organizational conditions must be managed to achieve success."

But before CISOs ascend the ranks they have some serious work to do, especially in the US, which the research shows lags behind the UK when it comes to practicing what to do in the event of a cyber-attack.

Adams said: "UK-based organizations report a significantly higher frequency of rehearsing their incident response plans. It is a bit surprising that 36% of US-based companies reported exercising their plans less than once per year, particularly given the adverse impact that perceived negligence can have on the brand/reputation of the organization."

Source: Information Security Magazine

Cybersecurity Firm Tops List of Highest-Paying Companies

Cybersecurity Firm Tops List of Highest-Paying Companies

New research has shown that cybercrime really does pay, but not for the people you'd expect. 

A study conducted by a company review site to find out which firms are the most generous when it comes to remuneration found that the best-paying gig was to be had at an American multinational cybersecurity company. 

Glassdoor's list of the 25 highest-paying companies in the US for 2019 was topped by Palo Alto Networks, which has its headquarters in Santa Clara, California. The cybersecurity firm, which employs over 5,000 people around the world, rewards workers for their efforts with a median total salary of $170,929. This figure dwarfs the Bay Area's average median base pay, which is $73,128. 

After reporting a 29% year-over-year increase in revenue for the 2018 fiscal year, in which they made $2.3bn, Palo Alto Networks certainly has the cash to splash. Such bountiful paychecks are likely to have been a contributing factor when Palo Alto Networks was ranked number one as "best place to work" in the Bay Area by SF Business Times in 2016.

"Not surprisingly, tech companies dominate the list of high-paying employers, including companies like TwitterGoogle, and LinkedIn," Glassdoor's researchers wrote. "The three highest-paying employers in 2019 were all tech companies paying a median total salary over $160,000 a year."

In fact, every one of the top ten highest-paying companies was tech related. Second after Palo Alto Networks was NVIDIA, which has more than 50 offices worldwide and is also based in Santa Clara. The median total salary NVIDIA pays employees is $170,068. 

The list of highest-paying companies was drawn from data reported to Glassdoor between July 1, 2018, and June 30, 2019, by employees based in the US. The information reported included details on base pay and other forms of compensation, including commissions, tips, and bonuses. To be considered for the report, companies had to have received at least 75 salary reports during this timeframe. 

Though tech companies are leading the way on median pay, researchers found that the highest-paid jobs are in the field of medicine. Physicians topped Glassdoor's list of the 25 highest-paying roles in the US for 2019, earning a median base salary of $193,415.

However, Steve Durbin, managing director of the Information Security Forum, a London-based authority on cyber, information security, and risk management, thinks that doctors may lose their spot at the top to a future gatekeeper of cybersecurity.

Durbin said: "Our digital world today runs on shared data and networks, and it relies on the public trust. Security professionals are the protectors of these assets. Moving forward, organizations should rise above the hiring fray and focus on fresh, strategic, long-term approaches to building, supporting, and integrating the security workforce. 

"Security professionals are key to the future and their skill sets may very well push their profession to the top of the salary list."

Source: Information Security Magazine

Twitter Culls 10,000 More State-Sponsored Accounts

Twitter Culls 10,000 More State-Sponsored Accounts

Twitter has removed another 10,000 accounts across six countries after discovering coordinated activity among nation states designed to spread misinformation.

The move comes nearly a year after the social network first began efforts at uncovering state-sponsored propaganda efforts using fake accounts. Since then, it has announced new discoveries in January, June and August this year.

Chinese efforts to spread misinformation about Hong Kong’s pro-democracy protesters appears to be showing no signs of slowing down. On top of the network of 200,000 fake accounts disclosed in August, Twitter has added another 4301 which it said were attempting to “sow discord” about the protests.

Elsewhere, 4248 accounts were suspended in the UAE for “often employing false personae and tweeting about regional issues, such as the Yemeni Civil War and the Houthi Movement.”

A further network of 271 accounts in Egypt and the UAE were focused on spreading misinformation about Qatar and other countries such as Iran.

Twitter also suspended 1019 fake accounts in Ecuador linked to the PAIS Alliance party for a propaganda operation supporting President Moreno’s administration.

A further 259 accounts were suspended in Spain, once again linked to a major political party – this time the right-wing Partido Popular.

As per previous culls, Twitter has permanently suspended the flagged accounts and made available an archive of removed tweets for researchers to study.

“Nearly one year on, the archive is now the largest of its kind in the industry. Thousands of researchers have made use of these data sets that contain millions of individual Tweets and more than one terabyte of media. Using our archive, these researchers have conducted their own investigations and shared their insights and independent analyses with the world,” the firm explained.

“Transparency and openness are deep-seated values at the heart of Twitter which define and guide our methodology around these disclosures. Going forward, we will continue to enhance and refine our approach to disclosing state-affiliated information operations on our service.”

Source: Information Security Magazine

Thinkful Resets Passwords After Data Breach Exposes Coders

Thinkful Resets Passwords After Data Breach Exposes Coders

Online education platform Thinkful has suffered a data breach which may have given hackers access to users' accounts.

The training site for developers notified all of its users by email that an unspecified number may have had their “company credentials” accessed by an unauthorized third party.

However, it clarified that no government identification or financial info belonging to the company would have been available to the hackers via this route. “As soon as we discovered this unauthorized access we promptly changed the credentials, took additional steps to enhance the security measures we have in place, and initiated a full investigation,” it continued.

“Additionally, at this time we have no evidence of any unauthorized access to any other Thinkful user account data or user information. However, as a measure of added precaution, we are requiring all users to reset their Thinkful passwords.”

The cause of the breach is still unclear, although a phishing attack against a site admin or a credential stuffing raid are among the usual suspects. Also unclear is the number of users affected and when the incident occurred.

It does come at an awkward time for Thinkful, however, given the firm only recently announced its $80m acquisition by student learning platform provider Chegg.

That firm has also been on the receiving end of unwanted attention from the black hat community: last year it revealed in a regulatory filing that hackers managed to access a company database, stealing log-ins, and email and shipping addresses.

It was forced to reset 40 million passwords as a result.

Securonix VP EMEA, Robert Ramsden Board, argued that the incident highlights the importance of due diligence before buying a company.

“Purchasing a company that has taken a lax approach to security will only come back to haunt the buyer, as Marriott learned the hard way after its purchase of Starwood hotels,” he added.

“Data breaches pose a serious reputational and business risk to organizations. Therefore, to avoid unauthorized access to internal systems organizations should simulate data breach security drills to identify weaknesses that could be exploited and train staff on the malicious tactics cyber-criminals use to reduce the risk of human error.”

Source: Information Security Magazine