Cyber Round Up: A Better Way to Teach Cybersecurity; Take Cybersecurity Away from Spies; EU-US Privacy Shield Review

  • A Better Way to Teach Cybersecurity to Workers (WSJ): Companies have found out that punishing employees for poor cyber hygiene is not effective, according a recent report in the Wall Street Journal.  The general consensus is that most people dread cyber security training.  Instead, companies are making progress when switching out the stick for the carrot, the article says.  Research has shown that companies using games, competitions, and the like have had better results when it comes to employees’ cyber habits.  The full article can be read here.
  • Take cybersecurity away from spies…for everyone’s sake (Wired): Commentary in an article last week addressed the inherent flaws and conflict of interests when intelligence agencies are the ones who find cyber vulnerabilities.  The post highlights statistics about the British signals intelligence agency, but also mentions the NSA.  For example, according the post, the core exploit in the WannaCry attack was engineered by the NSA. Instead of informing Microsoft of the vulnerability, the intelligence agency chose to hold on to the information for its own use.  The article discusses how these competing interests hinder cyber security.  The full post can be read here.
  • EU-U.S. data pact faces first major test of credibility (Reuters): The EU-U.S. Privacy Shield data pact is set to be reviewed this week after its first year in place, a report over the weekend said.  The deal was meant to provide greater privacy protections for Europeans whose data ends up on U.S. servers.  The big question, according to the article, is whether the U.S. is holding up its end of the deal.  While the deal was viewed as an improvement for privacy in some respects, it has also been challenged as not going far enough, the author reports.  The full post can be read here.

Share:

Tags: ,

Lessons Learned from Equifax

In the wake of the Equifax Data breach and the litany of issues regarding potential insider stock sales, insecure database applications, and finger-pointing between Apache and Equifax, there are some valuable lessons we should all take heed of.

  1. Trust no one, and no entity: I hate to sound overly dire but even the old “trust, but verify” adage is insufficient in the world of cyber.  One should assume that their information is insecure, that it has been breached, and mitigation then becomes the name of the game;
  2. data: both in-flight; and at-rest should be encrypted.  Seriously, who puts data on an accessible server and then leaves the data unencrypted.  While given enough time and resources encryption can (generally) be broken, companies should at least try to appear as though they are interested in making hackers earn their keep;
  3. humans continue to be one of the weakest links in any cybersecurity chain. Take a look at the Argentinian Equifax web portal connected to a RDBMS accessed using admin/admin credentials.  Seriously?
  4. with respect to point #3, above: companies really need to embrace the fact that IT and IS are equal, yet separate disciplines.  While one is focused on availability and uptime, the other is (should be) focused on protecting data and ensuring that proper access controls are implemented and continuously monitored;
  5. in the infantry the common mantra is “embrace the suck”.  In cyber, the mantra should be “embrace the SOC.”  Build one in-house, or use an outsourced Security Operations Center but please, please allocate the necessary resources to identify, assess, secure, and monitor your data and information flows.

 

For our continuing Equifax breach coverage, please check here.

Share:

Tags: ,

Cyber Round Up: Cybersecurity Market Projected to Reach New Highs; Law Firms Lacking Cybersecurity; The Equifax Hack’s Wide Reach

  • Growing Cybersecurity Threat Projected to Push Cybersecurity Market to New Highs (Business Insider): The cybersecurity market size is expected to reach $231.94 billion by 2022, an approximate 160% increase from its current size of $137.85 billion, according to a recent Business Insider article. The article summarizes a Markets and Markets research report, indicating security types most in focus. It also delves into recent cybersecurity advancements for companies such as FireEye Inc. and Symantec Corporation. The full article can be read here.
  • What You Need to Know About Law Firm Cybersecurity (Above the Law): Law firm in-house practices often include cybersecurity, but many don’t practice what they preach, leading to insecurities within the law firm’s own cybersecurity. A recent article looked at an ALM Legal Intelligence study which found, “22% of law firms did not have an organized plan in place to prepare for or respond to a data breach,” and “only 50% of law firms included in the study [had] cyber security teams in place” in the event of a data breach. The full piece can be found here.
  • Equifax Hack Likely Impacted All US Adults, Cybersecurity Expert Warns (Fox Business): The Equifax hack has left 143 million customers at risk of having their information stolen. However, Hiep Dang, director of Product Management at Cylance told Fox Business, “conservatively, maybe 75% [of us were affected], aggressively, probably all of us.” The article explains what makes this breach “particularly damaging.”
    You can also follow Crossroad’s Equifax hack coverage here.
Share:

Tags: ,

Cyber Round Up: Extortion is Hackers’ Latest Weapon; Kaspersky Making Changes in U.S.?; North Korea and Bitcoin

  • Hackers’ Latest Weapon: Cyber Extortion (WSJ):  Nefarious actors in cyber space have another tool in their toolbox. Hackers are not just stealing information or holding it ransom, an article in the Wall Street Journal says, but are now digging for sensitive information that could be used to extort companies and their executives.  The article explains that exposing intellectual property or embarrassing emails can be much more damaging than other forms of attacks.  Victims of extortion from hackers include HBO, Netflix, medical clinics, casinos, and energy companies. The full article can be read here.
  • Under scrutiny, Kaspersky Lab considers changes to U.S. subsidiary (Reuters):  The Russian company is considering making changes to its subsidiary in the United States after repeated allegations that it is subject to the influence of the Russian government.  A bill that the Senate is scheduled to vote on this week includes language that would ban U.S. government agencies from using Kaspersky software, the article said.  Conflicting reports have emerged as to whether the company will be expanding in North America or completely shutting down, the article points out.  The full report can be read here.
  • North Korea is trying to amass a bitcoin war chest (CNN):  North Korea is attempting to circumvent recently imposed sanctions by building up its stock of cryptocurrencies, recent reports suggest.   A CNN report quotes one FireEye officer who explains that “Attacks on cryptocurrency exchanges can be a great vehicle to obtain what is ultimately hard currency.”  FireEye, according to the article, has linked several attacks on cryptocurrency exchanges to North Korean hackers in the months since the U.S. announced it would be taking a stronger stance against the nation. The full article can be read here.
Share:

Tags: , ,

Equifax: Let the Blame Game Begin

Equifax Blames Apache –> Apache rebuts; in the end Consumers still Lose

Equifax appears to be blaming a vulnerability in the Apache Software Foundation’s Apache Struts Web Framework, according to a post on Apache.org.  The Apache Struts Project Management Committee’s post (PMC) goes on to say that the assumption that the Equifax breach may have relied on a vulnerability in the struts framework that was discovered on September 4, 2017. The post posits that this indicates that if the attackers relied on this vulnerability this would be a zero-day exploit since the issue was not detected until well after the attacks which took place starting in mid-May of 2017.  Furthermore, the PMC’s post asserts that this particular exploit outlined in CVE-2017-9805 may have existed for nine years, however, it was not a known issue during that timeframe and in fact the PMC asserts that as soon as Apache became aware of the issue a fix was developed and made available.

PMC’s post goes on to outline a few key steps that businesses and individuals using Apache struts (or any other supporting software) should implement:

  1. inventory the frameworks and libraries you are using in your software development and products and maintain visibility into new releases, patches, vulnerabilities, etc. for each of those;
  2. create and utilize a process to test and roll-out security fixes in shorter time-periods (e.g. days vs. weeks);
  3. don’t build your products on the assumption that the software you are using is flawless;
  4. create security layers — don’t create a situation where a breach from the presentation (e.g. webpage layer) can endanger underlying back-end data; and
  5. establish baselines to monitor for unusual traffic or data flows which will help to identify network anomalies and potential intrusions and exfiltrations.

 


<opinion>

Dear Equifax:

please wake up and realize that finger-pointing, trying to blame Apache or any other software products, in addition to the incredibly poor-timing of the executive stock option sales before this breach was made public are not going to help you in the court of public opinion, nor in any court of law where jurors may sit.

As a consumer, and a business professional it would have been reassuring to learn that the breach was only to grab encrypted records, since that is how you should be storing our data, or to learn that you were giving those executives the boot since the mere appearance of impropriety was tantamount to deceit and malfeasance.  However, you chose instead to state that the executives had no idea there had been a breach days after it was discovered (in spite of the fact that the breach had been underway since mid-May) and then to assert that it wasn’t really your fault since the attacker used an exploit to exfiltrate unencrypted records.  Furthermore, if Equifax had done input validation or sanitization then the vulnerability in struts could not have been exploited in the first place, see this post from Imperva.

Needless to say, at this early stage in the game, Equifax’s handling of this breach since it was discovered appears to be a case study in what not to do.  As Equifax’s shares continue their downward movement and as consumers and businesses alike start to realize the repercussions of this breach, it is unlikely that Equifax has issued a single statement or taken a single step to help themselves, or their consumers and users.

Several days after the breach was disclosed, some Equifax executives were able to sell their stock at $145-$146/share — today Equifax shares closed at $113.12  Meanwhile 143M of us are waiting to sign up for “free” credit monitoring so we can see when someone tries to use this data to steal our identities.  However, as the OPM breach taught us, data is worth so much more than just identify theft.  Once you get enough data points on a person the sky’s the limit.

In short, thanks for encrypting our precious data that would have cost you a little bit of money and would have slowed down some of your back-end processes but would have made the attackers work a whole lot harder to grab our data (in a readable and usable format).

Sincerely,

John Q. Public

 

We have covered this in a few other posts recently.Round Up (09/11); Equifax: Perception = Reality (09/08); Equifax: 143M Americans breached (09/07)

Share:

Tags:

Cyber Round Up: iOS11 May Complicate Border Searches; N. Korea Tests Public-Private Information Sharing; Equifax Breach Coverage

  • iOS11 May Complicate Border Searches (Lawfare): Apple’s focus on protecting customer data may have some serious implications for U.S. agents at the borders, a recent article says.  The post on Lawfare explains how the new software udpate, iOS11, has additional security updates that make accessing the contents of a phone or tablet more difficult.  The post notes that some of the features are more hype than substance, but features like requiring phones to “trust” a new computer have legitimate legal implications. The author suggests that the new feature will only allow a border agent to browse the contents of the device but not download them.  The full explanation can be read here. 
  • Tensions with North Korea present a test for key US cyber program (Washington Examiner): The potential for cyber aggression between the U.S. and North Korea may shed light on how well the U.S. is sharing information between the public and private sectors, according to an article over the weekend.  The article notes that the Cybersecurity Act of 2015 emphasized this infomratino sharing and placed the burden to do so on DHS.  In order to protect critical infrastructure, something North Korea may focus on in a cyber attack, the federal government will need to be passing important information to the private sector in a timely manner. The full analysis can be read here.
  • Equifax Breach Coverage:  You don’t need this blog to inform you of the Equifax data breach that occurred late last week.  The story has grabbed headlines everywhere.  Christopher Folk provides his thoughts on the breach on this blog over the weekend. Read those comments here. 
Share:

Tags:

Cybercrime Symposium: When Cybercrime Turns Violent and Abusive

The University of Maryland Francis King Carey School of Law will be hosting a symposium this Friday, September 15, 2017.  The event description is posted below and you can register here.

Brief description: The U.S. Department of Justice, Computer Crime and Intellectual Property Section, and the University of Maryland Francis King Carey School of Law invite you to attend the 2017 Cybercrime Symposium, “When Cybercrime Turns Violent and Abusive.” The Symposium will bring together multiple stakeholders to address the challenges in combating different kinds of online abuse and cyber exploitation, including cyber stalking, doxxing, non-consensual pornography, swatting, and sextortion.

Closing Keynote Address by Andrew McCabe, Deputy Director, Federal Bureau of Investigation

Additional keynote remarks by Kenneth A. Blanco, Assistant Attorney General (Acting), U.S. Department of Justice, and Annmarie Chiarini, Cyber Civil Rights Initiative

Panel 1: Holding Offenders Accountable

Carrie Goldberg, C.A. Goldberg, PLLC

Matthew O’Neil, United States Secret Service

Mona Sedky, United States Department of Justice

Benjamin Wittes, Brookings Institution

Panel 2: Balancing Free Speech Interests and Public Safety

Erwin Chemerinsky, University of California Berkeley School of Law

Danielle Citron, Francis King Carey School of Law

Brittan Heller, Anti-Defamation League

Panel 3: The Public Safety Role of Social Media and Technology Companies

Patricia Cartes, Twitter

Antigone Davis, Facebook

Mary Anne Franks, University of Miami School of Law

Panel 4: Anonymizing Technologies—Costs versus Benefits

Keith Becker, United States Department of Justice

Roger Dingledine, TOR Project

Susan Hennessey, Brookings Institution”

Share:

Tags:

Equifax: Where Perception = Reality, Timing is Everything

Equifax: Where Percepton = Reality, Timing is Everything

This is a follow up to a previous post. Paul Monica’s recent article in CNN:Money indicates that Officers in the Equifax Corporation sold stock shares in the days following Equifax’s data breach.  The article indicates that Equifax became aware of the breach on Saturday, July 29th and thereafter, on Tuesday, August 1st, and Wednesday, August 2nd, three Equifax officers sold shares of Equifax stock.  In looking at the U.S. Securities and Exchange EDGAR system, it seems that John Gamble, CVP & CFO; Joseph Loughran III, President USIS; and Ploder Rodolfo, President Workforce Solutions all sold stock worth nearly $1.9M the week after the breach was “discovered.”

John Gamble: SEC Form 4

Joseph Loughran, III: SEC Form 4

Ploder Rodolfo: SEC Form 4

The article states that Equifax told CNNMoney that the executives “had no knowledge that an intrusion had occurred when they made the sales.”

 


{OPINION}: Business 101: Perception is everything and this article raises a (minimally) two-fold question: (1) is Equifax so incredibly inept that a breach of epic proportions was discovered on Saturday, July 29, and yet on Tuesday, August 1st, key corporate officers still had not been made aware of this?; (2) why did Equifax even respond to the CNNMoney article if they were merely going to skirt the issue and then demonstrate their complete lack of an internal breach notification system?

The optics on this were bad already, a data breach was discovered on July 29th, the impact is upwards of 143M records and the news isn’t released until after the latest news cycle covering Irma was complete on a Thursday evening.  Now it seems Equifax executives had the uncanny good fortune to offload what is soon to be a plummeting stock and net hundreds of thousands of dollars in the process.

While it is true, that breaches happen even to the most secure systems, how breaches are handled once discovered can have a tremendous impact on consumer trust, goodwill, and ongoing business relationships.  Equifax is going to have to redouble its efforts and work on its PR if it wants to successfully weather this storm.

On the “adding insult to injury” track, below is a screenshot of the Equifax online verification screen to determine if you may have been compromised during their breach.

 

 

 

Share:

Tags: , ,

Equifax Data Breach: Data of 143M Americans Breached

Equifax Data Breach Impacts 143M Americans

Lee Mathews reports in a Forbes article that Equifax discovered a breach on July 29th that could impact nearly half of the US population.  The article goes on to say that personally identifiable information (“PII”) such as social security numbers, birthdates, names,  addresses, and credit card numbers comprise approximately 209,000 of the breached records. Whereas additional information, such as credit card charge disputes and related information involved another 182,000 records, according to the article.

The article indicates that Equifax has created a dedicated website to assist users and is staffing a call center from 7AM – 1AM (Eastern) to answer any questions related to this breach.  Furthermore, according to Matthews, Equifax is offering free credit monitoring for all the affected persons [Ed. note: users may want to opt for third-party monitoring unless they feel that monitoring (but not data security) is something Equifax is capable of handling in a competent fashion].

To be sure, this is likely to generate significant attention for the next several weeks as the forensic analysis and the full scope, and manner of the breach is revealed.

Share:

Tags: ,

Cyber Round Up: Cyber in Academia; Dragonfly: Hackers Target Energy Sector; SEC Chairman Sees ‘Systemic’ Cyber Risk

  • How Cybersecurity Became 2017’s Hot New Major (The Village Voice):  The byline reads, “Everybody wants to teach, but nobody can decide what it is.”   An article last month discussed the gap between what cyber students are learning in school and the skills that employers in the work force are looking for.  Despite how much of a hot topic cyber has been, academia has not caught up, the article says.  One focus of the piece is that those that are in charge of building these programs cannot decide what to teach.  A major reason for this, the author explains, is the inherently multidisciplinary nature of the field and the way education is compartmentalized in departments. The full article can be read here.
  • Dragonfly: Western energy sector targeted by sophisticated attack group (Symantec): A recent report from Symantec says that the energy sectors in North America are being targeted by a group known as Dragonfly.   According to the report, the group has been operating since 2011, but until recently, had been relatively quiet.   While some news headlines attributed the attacks to Russia, the report says that many different measures were utilized to make attribution more complicated. Symantec claims to have evidence that this recent string of attacks started in 2015 and have seen a strong uptick in 2017.  The full report can be read on Symantec’s Blog and is included in this post for reference. Predictably, the report includes the company’s pitch that their software can protect against Dragonfly 2.0.

    Dragonfly_ Western energy sector targeted by sophisticated attack group _ Symantec Connect Community

  • SEC chief says cyber crime risks are substantial, systemic (Reuters):  The head of the SEC says the organization needs to do more to make the everyday American aware of the cyber risks involved with investing, a recent article says.  Areas of concern range from hackers stealing information to gain a market advantage to issues like initial coin offerings (“ICOs”).   ICOs, which are based on blockchain technology, have allowed startups to raise $1 billion so far this year and can be considered securities, meaning they would fall under SEC regulations, the article claims.  The full article can be read here.

Share:

Tags:

Next Page »

Authors

Untitled Document
Professor William Snyder

Professor William C. Snyderis a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.

Ryan D. White

Ryan D. WhiteRyan is currently a third year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic. Full biography

Shelby E. Mann

Ryan D. WhiteShelby is a second year law student at the Syracuse University College of Law. During her final year at the University of Missouri, she served as a full-time news producer for ABC 17 News. Shelby spent her first summer of law school at the Shelby County District Attorney General's Office in Memphis, Tenn., in the Public Corruption and Economic Crimes Unit. She is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and the senior editor for the Syrian Accountability Project. Full biography

Christopher w. FolkChristopher W. Folk

is a 2017 graduate of SU College of Law. A non-traditional student, Christopher returned to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering. Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law. Full biography

Anna Maria Castillo

is 2016 graduate of Syracuse College of Law. She also holds a Master of Arts in International Relations from Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She served as an executive editor in the Syracuse Law Review. Full biography

Jennifer A. CamilloJennifer A. Camillo

is a 2015 graduate of Syracuse College of Law and is a prosecutor. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She was a member of the Syracuse National Trial Team and was awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. PistoreseTara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She wrote for this blog when a student. She is now a member of the U.S. Army Judge Advocate General's Corps.

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.) Full biography

Categories