Information Security News Alert September 2016
Insider Threats, APTs & Data Breaches, Oh My!
QUESTIONS? PLEASE CONTACT: Dawn Thistle 508-767-7095 dthistle@assumption.edu
Bob Lavner 508-767-7006 blavner@assumption.edu
DISCLAIMER: The advice within was collected and created by the Security Awareness Company and is intended to be used as general safe practices. You should always follow College policy.
Global Cost of (in)Security The cost of doing business is climbing, and it’s not due exclusively to economic issues. Organizations of all shapes and sizes are under attack. E-commerce has taken over the way we do business, which means there’s a lot of sensitive information being exchanged. This opens more doors for criminals. Instead of going after goods and services, they can target our data (and yours) without even leaving home. Some attacks are high-profile, such as 117 million emails and passwords stolen from LinkedIn, or the release of contact info for 20,000 FBI and 10,000 Department of Homeland Security employees. Other breaches fly underthe-radar, such as the successful phishing attack on Tidewater Community College, but incidents are piling up. So pervasive is the problem that data breaches have turned into a global phenomenon. Approximately 55 million people had their personal information
A database belonging to the Ministry of Education was compromised, exposing personal information— including passwords and addresses—of 2,800 users and Colombian government employees.
compromised when the database for the Philippine Commission on Elections was breached. A Bangladesh bank reported one of the biggest cyber heists in history when an official’s computer was hacked. 81 million USD/73 million Euros were stolen. UK phone and broadband provider TalkTalk reported that millions of customers may have had their personal information exposed in an attack—their third data breach in two years. So what can we do? Clearly, the bigger the company, the bigger the target. But the bad guys are proving time and time again that no one is safe. And it’s not like all of us have access to thousands of accounts. But we can learn from the breaches dominating our news cycles by upgrading awareness, staying alert, and reporting anything unusual when we see it. The worst thing any of us can do is assume we’re not a target.
13 million USD / 1.4 billion Yen were stolen from Japanese ATMs by using stolen data from 1600 South African bank accounts.
Cybercrime is the cause of 95% of losses for Brazilian banks, including “Boleto Malware,” which led to nearly half a million fraudulent transactions and affected more than 30 Brazilian banks over a period of 2 years.
KM.RU, a Russian email service, was breached, resulting in 1.5 million accounts being exposed.
A database containing 870,000 users for Australian insurance company, Aussie Travel Cover, was stolen and posted online.
ransomware case study VICTIM: University of Calgary ATTACKER’S ANGLE: UCalgary was a target due to their status as a “world-class research facility.” The seizure of staff and faculty email and lockdown of university-issued computers prevented access to valuable data. RESPONSE: University IT was able to isolate the attack and restore affected portions of their network. Experts from cybersecurity and the Calgary Police Service were brought in as a part of the investigation. RESULTS: Despite the efforts of their IT team, the university determined their best course of action was to pay the ransom and begin the process of decryption. RANSOM PAID: $20,000 CDN/$15,500 USD
Macros Dear Security Guru, I’m so afraid of getting ransomware. What can I do to protect myself? – Concerned in Copenhagen You’re not alone. It seems like an incident or new strain of
ransomware is reported every day. Criminals behind these
attacks are getting craftier with social engineering, too, making them harder to identify. These “best practice” steps make protecting yourself fairly simple. As always, follow policy when handling work related data and devices.
Don’t automatically click on links or attachments in emails
without thinking, even if the email appears to come from someone you know. Phishing is the number one way criminals carry out their attacks.
Utilize the 3-2-1 Backup Strategy: On personal equipment, 1
is your primary device, 2 is your local backup, and 3 is off site
(such as the cloud). Criminals lose their leverage if you have
a way of retrieving your data without their decryption key. At work, always follow policy.
Trust but verify. Believe it or not, ransomware is coming to a
smartphone near you. Google the reputation of any app before downloading and installing.
Stay up-to-date and informed. Not only should you make
sure your computers, including mobile devices, are on the latest versions of software and firmware, you should also keep an eye
on the news. Familiarize yourself with the latest threats and attacks.
Follow policy. Know how and when to respond to suspicious
activity at work. If you’re not sure, ask!
Macros are programs that are embedded in documents to perform specific tasks. Macros aren’t inherently bad, and can be quite useful for doing repetitive tasks within applications like Word or Excel. But someone with nefarious intent (like a criminal hacker) can create a malicious macro to do any number of things: embed itself into other documents, install software without the users’ consent, and email itself to all your contacts. Macro security has improved significantly over the years. For example, Microsoft created a new naming system in 2007 to help identify files with or without macros: any file that has the extension .docx is a regular file, and a file that contains the extension .docm has embedded macros. (Read more here: http:// abt.cm/2bb9cRd) But even that isn’t foolproof! Follow these steps to help avoid malicious macros:
1. NEVER download an attachment from an UNKNOWN sender.
2. VERIFY AND SCAN with anti-virus software before you download an attachment from a KNOWN sender.
3. DO NOT ENABLE macros unless you are 100% positive they are legitimate and safe.
ADVANCED PERSISTENT THREATS Advanced Persistent Threats, also known as APTs, are well-organized, wellfinanced, espionage-style attacks. They are launched by nation-states or professional criminal enterprises against high-profile organizations in an effort to steal trade secrets, company financials, personal information, competitive analysis, customer lists, and anything else of value.
But what, specifically, are APTs? And how are they successful? Let’s deconstruct their three basic elements and examine how they can affect you and our organization.
APTs are advanced.
APTs are persistent.
APTs are threatening.
The techniques and malware used to expose the vulnerability of a target are highly sophisticated and generally orchestrated by groups of individuals. They are harder to catch, often go unnoticed for years, and may cause irreparable damage by the time they are discovered.
Attackers have the resources to continuously monitor and extract data. They often put in months or years of research before launching an attack, then carry out their objectives against specific targets within an organization using basic social engineering techniques (such as vishing and spear phishing).
We often forget that computers don’t attack computers; people attack people using computers. The human element—the YOU part of this equation—is very important. APTs are successful because they use clever phishing scams to launch their campaign. Due to the attackers’ extensive research, they’re able to create spear phishing emails that look legitimate in your inbox. Disguised to be from someone or a company you’re familiar with, they can actually contain malware (via links or attachments) that could give the bad guys a way into our systems.
What does an APT look like? How about the biggest data breach in US government history?! In June of 2015, officials reported that the United States Office of Personnel Management was the victim of an intrusion that had been active for at least a year. As many as 18 million records of personally identifiable information (PII) were compromised. A spokesman for OPM added that “information related to the background investigations of current, former, and prospective federal government employees may have been exfiltrated.” In a word, the attack was epic.
What Does This Mean for You? It means you should keep software up to date per our policy here at work. It means you should be careful about what files you download or share and only use trusted USB storage devices. It means you should mouse over links and always think before you click. Remember, you don’t need to be an advanced security expert to protect yourself and our organization from advanced persistent threats. Just be vigilant, be skeptical and be persistent. And, if you see something unusual, report it immediately!
Script Kiddies
Hacktivist
Scammers & Phishers
Younger, less-informed cyber threats
Not always conventional criminals, these
These are the criminals that reach
who generally attempt to misbehave
hackers are a part of the “hacktivism”
into your inbox promising large sums
by using malware purchased from the
movement,
hacking
of cash in return for a small, upfront
internet underground. They do not
to further political agendas such as
payment (an advance-fee or 419 scam),
always understand the consequences of
human rights or freedom of speech and
or spoofing a service (such as a bank or
their actions.
information.
credit card company) to get you to click
which
utilizes
Malware Authors
Cyber Terrorists
In a way, malware authors are the
Experts agree that future conflicts will
brains behind much of cyber crime. They handcraft malicious codes and means of delivery, and often offer their services to lesser-skilled criminal hackers in exchange for a fee or percentage of profits.
attacks against Ukraine and Latvia are often just the first steps. (Read more here: http://ubm.io/2bj6Dtp) Defending critical infrastructures has become a
be led to believe in a false narrative about hackers. In truth, a hacker is simply someone with an advanced understanding of computers and networks. Unfortunately, that word has been used irresponsibly by the media for decades, resulting in a negative image which unfairly groups bad guys with good guys. To be clear, all hackers are not criminals; only criminal hackers are criminals.
Want to learn more about the hacker these
Insider threats include current or former employees that compromise sensitive information, either intentionally, by accident, or negligence. Insiders can work alone or with outsiders, but the motive is generally personal gain. Aware individuals are less likely to trigger an
THIS IS A HACKER:
from popular news cycles, you might
out
Insider Threats
unintentional security event or breach.
If you merely scan the headlines
Check
Examples like the alleged Russian-DDoS
national mandate across the globe.
hackers are people too!
community?
be initiated by cyberwarfare techniques.
on a malicious link or attachment.
two
documentaries Hackers Are People Too and DEFCON: The Documentary!
In the 1996 movie Independence Day with the world is attacked by aliens. David Levinson (Jeff Goldblum) successfully breached the aliens’ network by reading satellite transmissions of their communications. His brilliant idea to stop the aliens from eradicating Earth was to attack their network by “giving it a cold”—a computer virus—that would disable their shields. Levinson and Capt. Steven Hiller (Will Smith) socially engineered their way into the mothership by disguising themselves as aliens and flying an alien aircraft up to the ship. Essentially, this was a real life version of a phishing attack. Levinson uploads his virus to the mothership, which ultimately disables the force fields of all the alien ships (denial of service). In short, a hacker saved the world.
THIS IS NOT A HACKER: From 2005 to 2007, a man by the name of Albert Gonzalez carried out the biggest fraud in history by stealing and reselling 170 million credit card and ATM numbers. Gonzalez and his crew targeted the payment systems and networks of major corporations such as T.J. Maxx and Barnes & Noble, among many others. Gonzalez was eventually arrested, and is currently serving a 20-year prison sentence. Gonzalez is not a hacker. He’s a criminal. Even if he used hacking techniques, and obviously has advanced computer know-how, as soon as he used his skills to break the law and harm his fellow citizens, he became a criminal.
HEADLINE NEWS Latest Phishing Scam Targets Illegal Downloaders of Game of Thrones
IS
Infosecurity @InfosecurityMag • Aug 5 Italian RAT targets Androids in China and Japan, possibly part of APT bit.ly/2anUYeV
R
The Register @theregister • Aug 5 Scammers employ new Twitter phishing tool that 2 out of 3 people fall for bit.ly/2aUcgzM
The latest round of phishing scams targets people who
illegally download the popular HBO series Game of Thrones. These malevolent emails are well-crafted and appear to be sent directly from your ISP (internet service provider). They
are fake violation notices stating that you have illegally downloaded copyright-protected media.
Like most phishing scams, there is a sense of urgency. It
claims you have only 72 hours to pay a fine before legal action is taken and the matter is turned over to attorneys. Victims
BBC
who click the link and make the payment are actually sending their money to cybercriminals.
BBC News @BBCNews • Aug 4 Belgian MEP claims Tinder violates EU privacy rules by collecting too much info behind users’ backs bbc.in/2b5mdI4
It goes without saying that we do not condone illegal
downloading of any variety. Not only does it put your personal
data and cyber health at risk, it’s also a violation of copyrights and could lead to real legal repercussions.
CD
As always, when you receive an unexpected email from an
CoinDesk @coindesk • Aug 3 Bitcoin price drops 20% after $60M+ was stolen from global exchange bit.ly/2aUYzP8
unfamiliar source containing links or attachments, assume it’s a scam—especially if it asks for private information or payment with a sense of urgency. Think before you click!
Banner Health: Victim of Largest Healthcare Breach of 2016 The largest healthcare breach thus far in 2016 hit US-
THN
The Hacker News @TheHackersNews • July 27 Zero-day flaw discovered in LastPass allows account to be compromised bit.ly/2b8wJ1l
SAC
Security Awareness @SecAwareCo • July 25 Security checklist for Pokémon GO lets you catch ‘em all safely bit.ly/2b1dxmW
M
Motherboard @motherboard • July 22 Did a Fortune 500 company hire a notorious ransomware gang to hack their competition? bit.ly/2azuHW2
based company Banner Health. The breach affected 3.7
million people, including patients, health plan members, beneficiaries, and food & beverage customers and providers. This is not the first time Banner Health has been breached.
In 2014 they accidentally exposed PII of more than 50,000 people.
The recent attack began on June 17th. Criminal hackers
accessed an enormous amount of PII, PHI, and credit card
information, including: patient, physician, and clinical information; health insurance and claims information; social
security numbers; employee benefit information; DEA and tax identification numbers, and national provider identifier numbers. To learn more, visit: http://bit.ly/2azpRy0.
F
Fusion @fusion • July 21 Police unlock dead man’s phone by 3D printing his fingerprints fus.in/2abhpSc