Thought leadership. threat analysis, news and alerts.
Equifax Data Breach Was “Entirely Preventable”, Report Says
The U.S. House of Representatives Committee on Oversight has released a report that concludes that the massive Equifax data breach back in September 2017 was "entirely preventable".
On September 7, 2017, Equifax disclosed a massive data breach affecting 143 million consumers – majority of whom were from the U.S. and some from Canada and the U.K. – this number later rose to 148 million consumers.
Equifax is one of the largest consumer reporting agencies (CRAs) in the world. CRAs collect account information from various creditors, analyze this data to create credit scores and detailed reports, and then sell these to third parties. CRAs’ data collection activities make them a repository of large amount of personally identifiable information, which make them a high-value target for cyber criminals, this according to the report released by the U.S. House of Representatives Committee on Oversight(PDF).
Few weeks prior to the Equifax data breach, former Equifax Chief Executive Officer (CEO) Richard Smithsaid that Equifax was managing “almost 1,200 times” the amount of data held by the U.S. Library of Congress every day.
As a result of the massive data breach, Equifax held several of its officials accountable. Eight days after the data breach disclosure, the company’s Chief Information Officer and Chief Security Officer both took early retirements. Nineteen days after the data breach disclosure, the company’s then Chief Executive Officer Richard Smith left the company and 25 days after the breach, the company terminated its Senior Vice President and Chief Information Officer for Global Corporate Platforms.
Anatomy of the Equifax Data Breach
Based on the report released by the U.S. House of Representatives Committee on Oversight, the Equifax data breach was a result of a series of events that could have been prevented.
On March 7, 2017, Apache Software Foundation, an organization that oversees more than 350 leading open source projects, including Apache Struts, announced and patched on the same day the security vulnerability designated as CVE-2017-5638. This security vulnerability enables attackers to conduct remote code execution (RCE), a cyber attack in which the attacker takes over a computer by exploiting a vulnerability in the computer, regardless of where the computer is geographically located. A proof of conceptof CVE-2017-5638 attack scenario is publicly available on GitHub.
Apache Struts is a popular open source framework for creating web applications. Many of the world’s web applications use Apache Struts, including the web applications used by Equifax, financial institutions, government organizations and Fortune 100 companies. Equifax’s Automated Consumer Interview System (ACIS), a custom-built internet-facing consumer dispute portal, was running a version of Apache Struts containing the CVE-2017-5638 vulnerability.
According to the House Oversight Committee, 2 days after the release of the CVE-2017-5638 patch, Equifax’s Global Threat and Vulnerability Management (GTVM) team emailed over 400 Equifax employees who had Apache Struts running on their system to apply the necessary patch within 48 hours. The Equifax GTVM team also held a meeting about this vulnerability on March 16.
Despite the above-mentioned efforts, Equifax’s ACIS wasn't patched, leaving the company’s computer systems open to attacks. Just a few days after the release of the CVE-2017-5638 patch, that is, on May 13, 2017, attackers started their 76-day long cyber-attack on Equifax, the House Oversight Committee report said.
By exploiting the unpatched Apache Struts of the company’s ACIS, the report said, the attackers located a file containing unencrypted credentials, including usernames and passwords. These unencrypted credentials enabled the attackers to gain access to critical data outside Equifax’s ACIS, specifically access to the company’s 48 databases.
The report added that on these 48 databases, attackers accessed 265 times unencrypted personally identifiable information of Equifax’s consumers and said attackers transferred this data out of the company’s network. The report said Equifax wasn’t aware of this data transfer as the tool used to monitor ACIS network traffic had been inactive for 19 months as a result of an expired security certificate. It was only on July 29, 2017 that Equifax noticed the ACIS network traffic as this was the date that the company updated the expired certificate.
“Equifax failed to fully appreciate and mitigate its cybersecurity risks,” the House Oversight Committee report said. “Had the company taken action to address its observable security issues prior to this cyber attack, the data breach could have been prevented.”
Here are some of the cyber security measures that your organization can implement in order to prevent data breaches similar to the Equifax data breach:
Keep All Software Up-to-Date
Cyber attackers are quick to exploit publicly known security vulnerabilities. In the case of the Equifax data breach, attackers exploited a known security vulnerability on Apache Struts just a few days after Apache Software Foundation patched the vulnerability. It’s important to install critical patches in a timely manner so as not to leave your organization’s IT system vulnerable to cyber attacks.
Encrypt Critical Data
It’s a proactive approach to assume that one day your organization’s critical data could be accessed by an unauthorized party. It’s important to encrypt your organization’s critical data so that attackers won’t have a easy access to this high-value data. In encryption, data in plain text is converted into an unreadable form. The only way to read or unlock this encrypted data is via a decryption key – a time-consuming task on the part of the attackers. In the case of the Equifax data breach, the sensitive data of consumers wasn’t encrypted, making it easy for the attackers to locate the critical data.
Monitor Network Traffic
Monitoring your organization’s network traffic is one of the effective means of detecting intrusion. In the case of the Equifax data breach, at the time of the data breach, the company had no means to monitor its ACIS network traffic.
Look at deploying SIEM or MDRsolutions.
Network access during non-working hours and unusual volume of data transfer are signs of intrusion. A workable automated network monitoring tool is a must to protect your organization’s IT system.
What Can Organizations Learn from the Marriott Data Breach
The recent data breach disclosure by Marriott is an eye-opener to organizations, not only because of the extent of the breach – with up to half a billion guests affected, but also because of the length of time that the breach remained undetected – lasting nearly 4 years.
Marriott, currently the world's largest hotel chain, has over 6,700 properties in 129 countries and territories, including Canada. The company has attained the stature of being the world's largest hotel chain after it completed its acquisition of Starwood Hotels & Resorts Worldwide in September 2016.
Marriot, in a statement, said that from 2014 up to September 10, 2018, an “unauthorized party” accessed the Starwood guest reservation network affecting up to 500 million guests who made a reservation at Starwood properties. Out of the 500 million guests affected, the hotel chain said that data of 327 million of these guests was accessed without authority, including name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
Financial data of an unspecified number of guests was also accessed by the unauthorized party, including payment card numbers and payment card expiration dates. While the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128), the hotel chain said it won’t discount the possibility that the unauthorized party decrypted the payment card numbers.
Marriott didn’t specify what month or exact date in 2014 that the data breach started. It can be recalled that prior to the completion of Marriott’s acquisition of Starwood, in November 2015, Starwooddisclosed its own data breach, affecting nearly 100 Starwood hotels in North America.
Sergio Rivera, President of Starwood Americas, in a statement, said that point of sale systems at certain Starwood hotels were infected with a malicious software (malware), enabling “unauthorized parties” to access payment card data of some of the hotel customers.
Lessons from Marriott Data Breach
Here are some cyber security lessons from the recent Marriott data breach:
Implement Network Segmentation
Marriott said that its own Marriott-branded hotels aren’t affected by the data breach at the Starwood guest reservation network as Marriott-branded hotels’ use a different network that wasn't breached.
Network segmentation is the practice of dividing a computer network into subnetworks, with each network having a different purpose or usage. Implementing network segmentation in your organization ensures that in case one of the networks is infected with a malware, the other subnetworks won’t be infected.
By implementing network segmentation, the data breach at the Starwood guest reservation network was contained to this network alone, preventing the spread of the intrusion to Marriott’s other properties, including Marriott-branded hotels.
Encrypt Important Data
While encryption alone isn’t enough to protect important data, encryption adds a security layer in data protection. Encryption also means that an unauthorized party has to undertake an extra step and extra time to get the decryption key to unlock the encrypted files.
In the case of the Marriott data breach, the only data that was encrypted was limited to payment card numbers. The hotel chain though doesn’t discount that the unauthorized party had gotten hold of the decryption key or keys to unlock the encrypted payment card numbers.
Encryption doesn’t have to be limited to payment card numbers. In the case of the Marriott data breach, important personally identifiable information, including passport numbers, wasn’t encrypted. What happened in the Marriott data breach was that instead of the company doing the encryption to add an additional layer of protection, the unauthorized party did the data encryption in order to avoid detection by any data-loss prevention tools.
Data decryption isn’t an easy thing to do. According to Marriott, while it discovered the data breach on September 8, 2018, it took the company until November 19, 2018 to decrypt the files encrypted by the unauthorized party.
Always Assume that an Intrusion Has Occurred
To date, the cause of the Marriott data breach is still unspecified. The hotel chain, however, identifies the culprit of the data breach as "unauthorized party", a phrase that could mean a malicious insider or a malicious outsider.
Network intrusion carried out by a malicious outsider could happen in many ways. This could happen via phishing attacks using malicious emails containing malicious links and malicious attachments or via unknown security vulnerabilities exploited by a malicious outsider.
Proactive organizations have adopted the assumption that their networks are vulnerable to intrusion. Many organizations today engage the services of “penetration testers”, also known as ethical hackers. These ethical hackers search for and exploit security vulnerabilities in web-based applications, networks and systems and report back to the organization for the organization to fix the security loopholes.
Monitoring any insider activities within the network is also important. Intrusion by a malicious insider should be assumed all the time. An insider has all the tools needed to abuse one’s access to the trove of data that your organization hold. Your organization must have an automated tool that flags unusual activities, such as abnormal working hours, abnormal access to voluminous data and most importantly unusual volume of data transfer.
Contact ustoday if you need assistance in protecting and detecting intrusions in your organization’s networks, resulting from the actions of a malicious insider or malicious outsider.
How to Prevent Accidental Database Leaks
Florida-based marketing and data aggregation firm Exactis is the latest organization that accidentally leaked critical database online.
Security researcher Vinny Troia disclosed to Wiredthat early this month, Exactis exposed nearly 340 million records, 230 million of which pertain to U.S. consumers, while 110 million on business contacts.
"It seems like this is a database with pretty much every US citizen in it," Troia told Wired. "I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen.”
The close to 2 terabytes of data exposed by Exactis didn’t contain credit card information or Social Security numbers. It, however, revealed highly personal information, including phone numbers, home addresses, email addresses, religion, age, gender of the person's children, and interests like plus-size apparel and scuba diving.
Wired confirmed the authenticity of the data exposed by Exactis, commenting that in some cases the information is inaccurate or outdated.
Prior to his disclosure to Wired, Troia said he contacted both Exactis and the FBI about his discovery. He said Exactis has since protected the data so that it's no longer accessible to the public.
The number of data unintentionally exposed by Exactis exceeds that of the 2017's Equifax breach of nearly 148 million consumer’s data. The difference though is that in the case of Exactis, victims aren’t even aware that they’re part of the company’s database.
Past Incidents of Accidental Database Leaks
While the Exactis data may have been the largest accidental database leak, in the past few years, reports about accidental database leaks have come up again and again.
Another security researcher Chris Vickery discovered a number of accidental database leaks. In December 2015, Vickery discovered that the database that housed 3.3 million Hello Kittyaccounts was exposed as a result of a misconfigured MongoDB (a free and open-source cross-platform document-oriented database program) installation.
In April 2016, Vickery discovered that voter registration details of 93.4 million Mexican citizenswere exposed via publicly accessible database hosted on an Amazon cloud server.
In January 2017, Vickery also discovered that an Ontario-based plastic surgery clinicleaked thousands of customer’s medical records online via unprotected remote synchronization (rsync), a service which allows synchronization of files between two computers or servers over the internet.
In October 2017, Redlockresearchers reported that attackers infiltrated the Kubernotes (open-source platform designed by Google to automate deploying, scaling and operating application containers) console of Aviva, a British multinational insurance company, after the company failed to secure it with a password. One of Aviva’s Kubernetes pod contained credentials to the company’s Amazon Web Service Inc. account. According to Redlock, this enabled the attackers to steal the cloud compute resources of Aviva for cryptocurrency mining, in particular, mining the cryptocurrency Bitcoin.
In February 2018, Redlockresearchers reported that attackers similarly infiltrated the Kubernotes console of Tesla after the company failed to secure it with a password. One of Tesla’s Kubernetes pod contained credentials to Telsa’s Amazon Web Service Inc. account. Redlock said this enabled the attackers to steal the cloud compute resources of Tesla to mine the cryptocurrency Monero quietly in the background.
Accidental Leaks Discovery
According to Troia, he discovered the exposed Exactis’ database by simply using Shodan, an alternative search engine used by researchers and security professionals. Troia said he used Shodan to search for all ElasticSearch databases visible on publicly accessible servers with American IP addresses.
This search query resulted in about 7,000 results, Exactis database being one of them, unprotected by any firewall. ElasticSearch is a document-oriented database that's designed to be easily searched over the internet.
For his part, Vickery told ZDNet that he finds accidental database leaks via Shodan as well. There’s, however, no stopping for malicious hackers to use tools like Shodan to discover accidental database leaks. It’s a challenge then for ethical hackers like Troia and Vickery to discover and report to the concerned organizations regarding accidental database leaks before malicious hackers do.
"I’m not the first person to think of scraping ElasticSearch servers," Troia said in the case of Exactis’ accidental data leak. "I’d be surprised if someone else didn't already have this."
Data Leak Prevention
Here are some of the security best practices in preventing accidental database leaks:
1. Monitor Firewall Traffic
A firewall is your first line of defense in preventing accidental database leaks.
A firewall, which can be a hardware, software or both, monitors incoming and outgoing network traffic. It decides based on a defined set of security rules whether to allow or block specific traffic. For instance, a firewall can be configured to block data from certain locations or applications while allowing relevant data in.
RedLock reported that while firewall is one of the industry’s best practices, “85% of resources were found to have no firewall restrictions on any outbound traffic”.
While firewall is a good first line of defense, it can’t be the cure-all remedy in preventing accidental database leaks.
2. Monitor Configurations
Proper configuration is critical in preventing accidental database leaks. Configuration refers to the “Settings” menu in any software. A simple configuration monitoring could have prevented the Tesla breach.
3. Monitor Suspicious User Behavior
As shown by the above-mentioned examples, it’s not uncommon to find accidental database leaks in public cloud environments. Your organization needs to detect accidental database leaks as soon as possible before the bad guys do.
Monitoring has to go beyond geo-location or time-based anomalies but also monitoring event-based anomalies such as unusual volume of traffic or unusual volume of downloaded data.
When you team needs help, our team of experts is a phone call away. Contact ustoday and stay safe!
2 Canadian Banks, BMO & CIBC’s Simplii Financial, Disclose Data Breaches
Two Canadian banks, Bank of Montreal (BMO) and Canadian Imperial Bank of Commerce-owned Simplii Financial, have disclosed early this week that cyber criminals may have stolen sensitive data of their combined 90,000 customers.
BMO is Canada’s 4thlargest bank, while the Canadian Imperial Bank of Commerce (CIBC) is the country’s 5thlargest bank.
A spokesman for Bank of Montreal told Reutersthat nearly 50,000 of the bank’s 8 million customers across Canada were hacked.CIBC’s Simplii Financial, meanwhile, disclosed that fraudsters may have stolen certain personal and account information for nearly 40,000 of its customers.
According to CBC, a group of cyber criminals who claimed to have stolen sensitive data from the 2 banks sent an email to media outlets across Canada last Monday. The attackers said that stolen data would be sold to criminals if the banks don’t pay a $1-million ransom to be paid in the cryptocurrency Ripple by 11:59 p.m. Monday.
The attackers claimed that they’ve harvested personally identifiable information from customers of the 2 banks, including social insurance number, date of birth, address and phone number.
To prove the veracity of the email, the sender shared the identifying information of two Canadians, one for each bank. When CBC contacted those 2 individuals, they confirmed the veracity of the identifying information.
The ransom deadline has already passed. When contacted by CBC about whether any ransom had been paid, Bank of Montreal said, "Our practice is not to make payments to fraudsters."
Simplii, for its part, said that it’s "continuing to work with cybersecurity experts, law enforcement and others to protect our Simplii clients' data and interests."
The attacks on BMO and Simplii are noteworthy as both were disclosed on the same day by the 2 financial institutions and both were attacked by the same cyber criminals using the same method.
The email sent out by the group who claimed to have stolen data from BMO and Simplii Financial explained in detail how the data breaches on the 2 financial organizations were carried out.
According to the email sender, bank accounts from the BMO and Simplii Financial were breached by using the Luhn algorithm – a set of mathematical rules that’ll help to calculate an answer to a problem, in this case, generate the card numbers.
Using the generated card numbers, the attackers then posed as authentic customers who had forgotten their password. The group said the generated card numbers allowed them to reset the backup security questions and answers and reset the passwords.
“They were giving too much permission to half-authenticated account which enabled us to grab all these information,” the email said.
In Simplii Financial's official statement, the organization advised customers to always "use a complex password and pin (eg. not 12345)”. This statement is indicative that the bank isn’t using 2-factor authentication. BMO, meanwhile, offers 2-factor authentication.
A customer at Simplii Financial told The Globe and Mailthat he was unable to log in to his account and the safety questions to recover his password had been changed.
In a study, Newcastle Universityresearchers found that it only takes seconds to guess a bank account number by using the first six digits (which tell you the bank and card type) and the Luhn’s algorithm. One of the original purposes of the Luhn’s algorithm is for the websites to immediately identify invalid card numbers.
"As an example, suppose one's credit card number is 5377223617291234. Here, the ‘4’ is the check digit. This digit can be determined solely from the digits that precede it through what is called the Luhn Algorithm,” the Oxford Math Centerexplains Luhn Algorithm. “If when entering this credit card number, one accidentally types a ‘7’ where the right-most "1" should be (i.e., 5377223617297234), the check digit produced from the first 15 digits, in accordance with the Luhn Algorithm, will now disagree with ‘4’ on the end – flagging this as an invalid credit card number.”
If you’ve an account in either BMO or Simplii Financial, it’s important to monitor your account for signs of unusual activity. Both banks are offering free credit monitoring and guarantee a 100% reimbursement for any unauthorized transaction.
The recent data breaches at BMO and Simplii Financial could’ve prevented by data encryption. Organizations, especially those in the financial sector, are required to safeguard personally identifiable information of their clients.
One of the ways of safeguarding sensitive information is by encrypting the data. Encryption changes the data into something incomprehensible, rendering the data useless to the attackers without the secret code.
“The banks involved in claims of a potential data breach acted swiftly in response, launched full-scale investigations and took immediate action to enhance online security measures to protect customers," the Canadian Bankers Association told Bloomberg.
“When you’re dealing with financial information, you should have the highest level of privacy protection possible,” Dr. Ann Cavoukian, former privacy commissioner of Ontario and a distinguished expert-in-residence who leads Ryerson University’s Privacy by Design Centre, told the Financial Post. “This is a real eye-opener. The question that that begs is why weren’t you engaging in those measures all along?”
Top 5 Cybersecurity Predictions in 2018
It’s the yearend. It’s the time of the year when we look back at the salient events that made a great impact in the cybersecurity world, and make predictions of what the new year will bring.
Here are the top 5 cybersecurity predictions for 2018:
1. Cryptocurrency Mining
The growth of cryptocurrency this year is unprecedented, with the total value of close to 500 billion US dollars as of December 24, 2017. While Bitcoin is the most dominant cryptocurrency in the market, other cryptocurrencies have soared as well. Cryptocurrency Monero, for instance, has a total market cap of $5.1 billion as of December 24, 2017, with one coin of Monero valued close to $335.
“Mining” is needed for many cryptocurrency coins like Bitcoin and Monero to be processed and released. In the past, Bitcoin could be mined using ordinary computers. Today, Bitcoin can only be mined using specific and high-powered computers, leaving the mining to big companies. Other cryptocurrencies, however, can be mined using ordinary computers. Monero, in particular, can be mined using ordinary computers and even using smartphones.
The people who mine cryptocurrencies called “miners” are given a fair share of the coin value for the computer use. Unscrupulous individuals who want to earn more money from cryptocurrency mining, meanwhile, are scouring the internet looking for vulnerable computers and smartphones to install malicious software (malware) capable of mining cryptocurrency like Monero.
Adylkuzz cryptocurrency malware, which was released into the wild in May 2017, infects computers using Microsoft operating system that fail to install Microsoft’s March 14, 2017 security update. Other cryptocurrency malware that proliferated this year includes Coinhive, Digmine and Loapi. Coinhive is distributed via compromised websites, Digmine via Facebook Messenger and Loapi via online advertising campaigns.
Cryptocurrency mining malware eats up most of the computing power of servers, desktops, laptops and smartphones. This results in the slow performance of computers. The Loapi malware, in particular, is so powerful that it can even melt an Android phone.
“Although attacks that attempt to embed crypto-mining malware are currently unsophisticated, we expect to see an increase in the sophistication of attacks as word gets out that this is a lucrative enterprise,” Imperva Incapsula said in the article "Top Five Trends IT Security Pros Need to Think About Going into 2018”. “We also expect these attacks to target higher-traffic websites, since the potential to profit increases greatly with higher numbers of concurrent site visitors.”
2. Business Disruption
In 2017, the world saw the devastation brought about by ransomware and distributed denial-of-service (DDoS) attacks.
Ransomware is a type of malware that restricts user access to the infected computer until a ransom is paid to unlock it. Two of the notable ransomware this year, WannaCry and NotPetya, are essentially not ransomware in the sense that the code of these two malware were written in such a way that even the attackers themselves can’t unlock the infected computers. Whether this was intentional or not, only the attackers know. But in this sense, these two malware are considered as “wiper” – meant to bring business disruption.
“The WannaCry and NotPetya ransomware outbreaks foreshadow a trend of ransomware being applied in new ways, in pursuit of new objectives, becoming less about traditional ransomware extortion and more about outright system sabotage, disruption, and damage,” researchers at McAfee said.
Another malware that brought widespread business disruption in 2017 was the Mirai botnet, a malware that infected close to 100,000 IoT devices, turned them into robots and launched DDoS attack that brought down the managed DNS platform of Dyn, which in effect, temporarily brought down 80 widely used websites like Amazon, Twitter, Tumblr, Reddit, Spotify and Netflix.
According to Imperva Incapsula, attackers in the upcoming year will probably adopt new business disruption techniques. Examples of these disruptive techniques include modifying computer configuration to cause software errors, system restarts, causing software crashes, disruption of corporate email or other infrastructure and shutting down an internal network (point-of-sale systems, web app to a database, communication between endpoints, etc.).
3. Breach by Insiders
The 2017 Cost of Data Breach Study (PDF) conducted by Ponemon and commissioned by IBM showed that 47% of data breaches were caused by malicious insiders and outsiders’ criminal attacks, 25% were due to negligent employees or contractors (human factor) and 28% were due to system glitches.
According to Imperva Incapsula, illegal cryptocurrency mining operations in corporate servers are on the rise, set up by insiders or “employees with high-level network privileges and the technical skills needed to turn their company’s computing infrastructure into a currency mint.”
4. Artificial Intelligence (AI) as a Double-Edged Sword
In 2018, AI is expected to be used by cybercriminals as a means to speed up the process of finding security vulnerabilities in commercial products like operating systems and other widely used software. On the other hand, AI is expected to be used by cyberdefenders to improve cybersecurity.
“Unfortunately, machines will work for anyone, fueling an arms race in machine-supported actions from defenders and attackers,” researchers at McAfee said. “Human-machine teaming has tremendous potential to swing the advantage back to the defenders, and our job during the next few years is to make that happen. To do that, we will have to protect machine detection and correction models from disruption, while continuing to advance our defensive capabilities faster than our adversaries can ramp up their attacks.”
In 2018, one thing is for sure: General Data Protection Regulation (GDPR) will be enforced on May 25, 2018.
GDPR is a European Union (EU) law that has an “extra-territorial” reach. Businesses that process personal data or monitor the online behavior of EU residents are still covered under this law even if they aren’t based in any of EU countries. Salient features of the law include consent requirement, right to be forgotten, transparency requirement, cybersecurity measures and data breach notification.
“In the corporate world, McAfee predicts that the May 2018 implementation of the European Union’s General Data Protection Regulation (GDPR) could play an important role in setting ground rules on the handling of both consumer data and user-generated content in the years to come,” researchers at McAfee said.
Happy 2018, and Stay Safe!
Whole Foods Becomes the Latest Victim of a Cyber Attack
Whole Foods, the supermarket chain recently acquired by Amazon, becomes the latest victim of a cyber attack.
The supermarket chain officially acknowledged that the cyber attack potentially compromised its customers’ credit card details. The data breach, according to Whole Foods, affected only the point of sale system used in taprooms (bars) and restaurants located within some of the Whole Foods stores. As of November 2016, The Mercury News reported that 180 of Whole Foods’ 464 stores had bars and restaurants.
In its official statement, Whole Foods stressed that Whole Foods’ bars and restaurants use a different point of sale system from the company’s supermarket point of sale system. The company said that payment cards used at the supermarket point of sale system were not affected. It added that the Amazon systems, which acquired the supermarket chain last month, don’t connect to the Whole Foods’ bars and restaurants system. As such, transactions on Amazon.com haven’t been affected.
Whole Foods’ public statement didn’t reveal how many customers may have been affected, how many bars and restaurants may have been involved or when the data breach was discovered.
The Whole Foods data breach came just heels after the Sonic Drive-in cyber security breach. The American drive-in fast-food restaurant chain, with over 3,500 restaurants in 45 US states, confirmed that there's been some “unusual activity” on credit cards used at some of its restaurants. Similar to Whole Foods, the company didn’t disclose how many credit cards were potentially affected or when the data breach took place.
Krebs on Security reported that Sonic Drive-In cyber security breach may have impacted millions of credit and debit cards.
“The first hints of a breach at Oklahoma City-based Sonic came last week when I began hearing from sources at multiple financial institutions who noticed a recent pattern of fraudulent transactions on cards that had all previously been used at Sonic,” Krebs on Security wrote.
About 5 million credit and debit card details recently put up for sale on the underground online site Joker’s Stash has been tied to a breach at Sonic Drive-In, according to Krebs on Security.
“I should note that it remains unclear whether Sonic is the only company whose customers’ cards are being sold in this particular batch of five million cards at Joker’s Stash,” Krebs on Security said. “There are some (as yet unconfirmed) indications that perhaps Sonic customer cards are being mixed in with those stolen from other eatery brands that may be compromised by the same attackers.”
Cyber criminals typically steal credit card details from merchants that accept cards by hacking into their point of sale systems.
What is Point of Sale
Point of sale, also known as POS, is a system used by merchants where customers pay for goods or services. The POS system consists of hardware and software. The POS hardware refers to the device used to swipe a credit or debit card and the computer or mobile device attached to it. The POS software refers to the computer program that instructs the hardware what to do with the data it captures.
Through the years, there have been a number of vulnerabilities identified in the POS system. The vulnerability of the POS system was highlighted with the arrest and conviction of Albert Gonzalez, leader of the group that stole more than 90 million card records from retailers.
The Gonzalez group took advantage of the lack of point to point encryption of POS system. If you pay using your credit card at a POS terminal, your credit card data housed in the card’s magnetic stripe is read, passed through a series of systems and networks before reaching the store’s payment processor.
In 2005, credit card details transmitted over a public network from a POS device are required to be encrypted using network-level encryption, for example, the Secure Sockets Layer (SSL). Within the internal network of the store, however, credit card details weren’t required to be encrypted except when stored.
The Gonzalez group took advantage of this lack of point to point encryption at the internal network level by installing network-sniffing tools that allowed him and his group to steal over 90 million card details. As a result of the Gonzalez group’s criminal activities, many stores today use POS system with encryption even at the internal network level.
Through the years though, POS attackers have honed their skills and a number of POS attack methods have been developed. Big companies like Target Corporation succumbed to POS attackers. In May of this year, 47 US states and the District of Columbia have reached a $18.5 million settlement with Target that resolves the states' investigation into the company's 2013 data breach, which affected more than 41 million customer payment card accounts.
How to Prevent POS Attacks?
Customers’ credit card data in the POS system passes through the following:
In each of these stages, customers’ credit card data becomes vulnerable to POS attackers. On the terminal level, attackers can insert hardware like skimmers or firmware to steal credit card details. As data passes from terminal to cash register or cash register to central payment processing server, the data may be stolen using network traffic sniffing tools like the one used by the Gonzales group. From the terminal to the internet exchange, there can be exposure of the encryption key. Credit card details may also be stolen via RAM scrapping malware from the cash register level or at the central payment processing server level.
From terminal to internet exchange, mitigation strategy includes a firewall. At the cash register level or central payment processing server level, mitigating strategy includes endpoint security software. From cash register to central payment processing server, mitigating strategies include data encryption and the use of SSL. From terminal to internet exchange, mitigating strategy includes security information and event management (SIEM).
Network segmentation is also one of the mitigating strategies to counter POS attacks. The network segmentation of the Whole Foods’ bars and restaurants from Whole Foods supermarket and Amazon.com has prevented attacks on the other two Amazon assets. Target, meanwhile, in the 2013 data breach didn’t implement network segmentation.
When you need help protecting your missing critical applications and infrastructure, give us a call to speak with one of our cyber security and compliance experts.
Major Accounting Firm Deloitte Admits It Suffered Cyber Attack
Deloitte, one of the world’s “big four” accountancy firms, admitted that it suffered a cyber attack. The company, however, downplayed the cyber attack saying that "only very few clients were impacted" and "no disruption" to client businesses happened.
Deloitte’s clients include 80% of the Fortune 500 companies and more than 6,000 private and middle market companies.
British news outlet The Guardian and cyber security journalist Brian Krebs have come out with a different take on Deloitte’s cyber attack.
Sources told the British news outlet that an estimated 5 million emails have been accessed by the hackers in the Deloitte cyber attack. A source close to the Deloitte cyber attack investigation, meanwhile, told Krebs that the Deloitte hacking incident involved the compromise of all administrator accounts at the company as well as the company’s entire internal email system.
“In addition to emails, the Guardian understands the hackers had potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information,” Nick Hopkins of The Guardian wrote. “Some emails had attachments with sensitive security and design details.”
The Guardian reported that Deloitte discovered the hack in March of this year but the hackers may have had access to the company’s systems since October or November 2016. This hacking period was confirmed by Krebs who said that the Deloitte hacking dates back to at least the fall of 2016.
“Deloitte has sought to downplay the incident, saying it impacted ‘very few’ clients,” Brian Krebs wrote. “But according to a source close to the investigation, the breach dates back to at least the fall of 2016, and involves the compromise of all administrator accounts at the company as well as Deloitte’s entire internal email system.”
“As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators,” Deloitte said in a statement. “The review has enabled us to understand what information was at risk and what the hacker actually did, and demonstrated that no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers.
A source told Krebs that Deloitte “does not yet know precisely when the intrusion occurred, or for how long the hackers were inside of its systems.”
Cause of the Cyber Attack
Sometime in October 2016, Deloitte may have sense that something was wrong as the company sent out an email to all its employees in the US calling for a mandatory password reset. The notice includes an advice to pick complex passwords and a warning that employees who fail to change their passwords or personal identification numbers (PINs) by Oct. 17, 2016 wouldn’t be able to access email or other Deloitte applications.
According to The Guardian, Deloitte’s global email server was compromised through an “administrator’s account” – an account that has unrestricted access to all aspects of the email server. The administrator’s account required only a single password and didn’t have 2-step verification, sources of The Guardian said.
By relying only on a password – single factor authentication, Deloitte’s email system became highly vulnerable to cyber attack.
Hackers nowadays find is easy to hack emails using only a single factor of authentication or a password due to the following reasons:
Prior to the massive hack at Equifax where personal identifiable information like names, Social Security numbers, birth dates, addresses of 143 million Americans, 100,000 Canadians and 400,000 UK residents were stolen, Equifax was a victim of an earlier hacking incident.
On May 15 of this year, the Counsel for TALX Corporation – a wholly owned subsidiary of Equifax – informed the Attorney General of New Hampshire about a hacking incident that harvested W-2 tax forms of the employees of the corporate clients of TALX. According to the Counsel for TALX, hackers gained access to the website of TALX and harvested W-2 tax forms of customers by successfully answering personal questions used to reset “PlNs” or passwords to access the website.
“Because the accesses generally appear legitimate (e.g., successful use of login credentials), TALX cannot confirm forensically exactly which accounts were, in fact, accessed without authorization, although TALX believes that only a small percentage of these potentially affected accounts were actually affected,” the Counsel for TALX said.
“It’s pretty unbelievable that a company like Equifax would only protect such sensitive data with just a PIN,” Avivah Litan, a fraud analyst with Gartner, told Krebs, in reaction to the TALX-Equifax data breach. “That’s so 1990s.”
What is a 2-Step Verification
Many companies like Google, Facebook and Apple have adopted the 2-step verification, also known as two-factor authentication.
The 2-step verification is one of the security measures to help keep bad guys out. An example of the 2-step verification is that of Gmail where you'll be asked to enter your password as usual. In addition to the password, you'll be asked for something else. A code will be sent to your smartphone via text, voice call or mobile app. You can sign in using this code. You can also sign in using a USB security key – a small device that connects to your computer.
Can the 2-step verification totally keep the bad guys away? The two-factor authentication offers more protection than logging into an email account without it. This added layer of security can stop certain group of hackers. It can’t, however, stop other sophisticated cyber attacks.
The USB security key is considered as more secure compared to the code sent via smartphone. There’s, however, the danger of this device being lost or stolen. Cyber criminals, in the past, have infected mobile devices to steal 2-step verification security codes.
Your organization’s entire internal email system could be full of sensitive information. Protecting your company’s email system goes beyond a password – single factor authentication. Email security also goes beyond the two-factor authentication.
Contact us today if you need further protection for your organization’s internal email system.
Wall Street’s Top Regulator Discloses Own Data Breach
The US Securities and Exchange Commission (SEC) – Wall Street’s top regulator – is the latest entity that publicly acknowledged that it was a victim of a cyber attack.
SEC Chairman Jay Clayton, who took office in May of this year, admitted that in August 2017, the Commission learned that a hacking incident detected way back in 2016 “may have provided the basis for illicit gain through trading”.
“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” said Chairman Clayton. “We must be vigilant. We also must recognize – in both the public and private sectors, including the SEC – that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”
This recent cyber attack disclosure came just two weeks after the massive data breach at credit monitoring company Equifax, affecting 143 million Americans – almost all of the adults in the US, and affecting 100,000 Canadians and 400,000 UK residents.
This recent SEC hacking incident puts the Commission in an uneasy position given that it’s the government body that’s responsible for enforcing securities laws, issuing rules and regulations and ensuring that securities markets are fair, honest and provide protection for investors. The Commission, in particular, has the power to fine private entities for failing to safeguard customer information.
In June 2016, Morgan Stanley Smith Barney LLC paid a $1 million SEC fine over stolen customer data. The Morgan Stanley case originated from the act of then-employee who accessed and transferred the data of nearly 730,000 accounts to his personal server, which was then eventually hacked by third parties.
The Commission found Morgan Stanley violated Regulation S-P, a regulation that requires registered investment companies, broker-dealers and investment advisers to "adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information." Morgan Stanley agreed to settle the charges without denying or admitting the SEC findings.
In September 2015, a St. Louis-based investment adviser firm paid a $75,000 SEC fine for failing to establish the needed cyber security policies and procedures, resulting in a data breach that compromised the personally identifiable information (PII) of nearly 100,000 individuals, including thousands of the clients of the firm. SEC, in its decision, said the firm “failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents.”
Patch, Patch, Patch
According to SEC Chairman Clayton, hackers exploited the software vulnerability of the Commission’s corporate filing system known as “EDGAR”, short for electronic data gathering, analysis and retrieval. The software vulnerability was patched after discovery, the SEC Chairman said.
The Commission’s EDGAR system, performs automated collection, validation, indexing, acceptance and forwarding of data submitted by companies and others required to file certain information with the Commission. The system, in particular, receives, stores and transmits nonpublic information, including data which relates to the operations of credit rating agencies, issuers, investment advisers, broker-dealers, clearing agencies, investment companies, municipal advisors, self-regulatory organizations ("SROs") and alternative trading systems ("ATSs").
What is a Patch
A patch is a piece of code that’s added into a software program to fix a defect also known as software bug, including a security vulnerability. Patches are created and released by software creators after defects or security vulnerabilities are discovered. If a patch isn’t applied in a timely manner or if a software creator no longer offers a patch, cyber criminals can exploit a known vulnerability.
The Common Vulnerabilities and Exposures (CVE), an international industry standard, lists and assigns names to all known cyber security vulnerabilities. The United States Computer Emergency Readiness Team (US-CERT) provides an up-to-date list of known vulnerabilities and patches.
“Federal agencies consistently fail to apply critical security patches on their systems in a timely manner, sometimes doing so years after the patch becomes available,” Gregory Wilshusen, Director for Information Security Issues, said in a written statement before the Subcommittee on Research and Technology, Committee on Science, Space, and Technology, House of Representatives in February 2017. “We also consistently identify instances where agencies use software that is no longer supported by their vendors. These shortcomings often place agency systems and information at significant risk of compromise, since many successful cyberattacks exploit known vulnerabilities associated with software products. Using vendor-supported and patched software will help to reduce this risk.”
The 2 major cyber attacks in 2017 – WannaCry and Equifax data breach – exploited known vulnerabilities in computers that were unpatched.
WannaCry ransomware, which affected thousands of computers worldwide in May of this year, exploited the vulnerability in Microsoft Windows. This particular vulnerability could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.
Microsoft, for its part, released a patch or security update for this known vulnerability in March 2017 – two months before WannaCry was released into the wild.
For the Equifax data breach, the identified cause was the vulnerability in the Apache Struts in the US online dispute portal web application of Equifax. According to Equifax, the data breach happened from May 13, 2017 to July 30, 2017.
The Apache Software Foundation, a not-for-profit corporation that manages and provides patches for Apache Struts, released 4 patches for 4 known vulnerabilities from March 2017 to July 2017.
Even as cyber vulnerabilities are made public and patches are released, many organizations still fall victim to cyber attacks for failing to simply apply the available patches. According to the Apache Software Foundation, majority of the breaches that came to its attention are “caused by failure to update software components that are known to be vulnerable for months or even years.”
Days after the patch for CVE-2017-5638 – a critical vulnerability in Apache Struts that allows attackers to take almost complete control of web servers used by banks and government agencies – was made available to the public, security researchers still noticed a spike of attacks exploiting this vulnerability.
Patching known vulnerabilities in a timely manner is important as cyber criminals are quick to make use of newly published cyber security vulnerabilities, using them to launch cyber attacks within days.
Monitoring and managing vulnerabilities and threats is only effective when done regularly. Identifying security vulnerabilities is an onerous task generally assigned to your company's IT department. We can save you time and money by proactively scanning your infrastructure and networks, helping you prevent a data breach. Connect with us today to learn more and protect your business.
Apache Struts Vulnerability: There’s More to It Than Patching
Equifax claimed in its latest announcement that the vulnerability in the Apache Struts in its US online dispute portal web application caused the massive data breach affecting 143 million Americans – almost all of the adults in the US.
What is Apache Struts?
Apache Struts is an open-source framework for developing web applications in the Java programming language. It’s used by a significant number of organizations for developing publicly-accessible web applications like airline booking systems and internet banking applications.
The Apache Software Foundation, a not-for-profit corporation, manages, provides organizational, legal and financial support for the Apache open-source software projects, including Apache Struts.
According to Equifax, the data breach that harvested names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers of 143 million US citizens occurred from May 13, 2017 to July 30, 2017.
During this period, hackers also accessed credit card numbers for nearly 209,000 US customers, certain dispute materials with personal identifying information for almost 182,000 US customers and personal information for certain Canadian and UK residents.
From March 2017 to September 2017, security researchers have identified several critical vulnerabilities in Apache Struts. These include:
Notable Apache Struts Vulnerability #1: CVE-2017-5638
CVE-2017-5638 is a remote code execution vulnerability in Apache Struts that particularly affects the Jakarta Multipart parser. Hackers exploiting this vulnerability can attack a web application, take full control of the web server and inject it with commands of their choice.
Nick Biasini, threat researcher at Cisco Talos, said they observed and blocked several attacks exploiting this vulnerability in Apache Struts. According to Biasini, one type of attack exploiting this vulnerability initially stops the firewall protecting the server and ultimately downloads and executes malware of their choice.
Notable Apache Struts Vulnerability #2: CVE-2017-9805
CVE-2017-9805 is another critical remote code execution vulnerability in Apache Struts. All web apps using the popular REST plugin of Apache Struts are particularly vulnerable. Security researchers at lgtm discovered this vulnerability. If this vulnerability is exploited, hackers can run malicious code on the app server, either take full control of the machine or launch further attacks.
“This vulnerability poses a huge risk, because the framework is typically used for designing publicly-accessible web applications,” Man Yue Mo, one of the lgtm security researchers who discovered this vulnerability, said. “Struts is used in several airline booking systems as well as a number of financial institutions who use it in internet banking applications. On top of that, it is incredibly easy for an attacker to exploit this weakness: all you need is a web browser.”
Citing analyst Fintan Ryan at RedMonk, lgtm noted that at least 65% of the Fortune 100 companies are actively using web apps built with the Apache Struts framework.
Common Patching Versus Web App Patching
All of the above-mentioned vulnerabilities in Apache Struts have already been patched by the Apache Software Foundation. Many organizations, however, still haven’t patched their vulnerable web apps.
While most vulnerability fixes require only downloading a patch, installing it and rebooting a machine, fixing an Apache Struts vulnerability is different as it needs each web app to be recompiled using a patched version. In fixing an Apache Struts vulnerability, the web app code will have to be changed as opposed to just applying the vendor patch.
In addition to the complexity of patching a web app, organizations also have problems in getting trusted and skilled personnel to patch the web apps since most of the original web app developers have moved on to other projects or to other companies.
The time element between waiting for the right personnel to patch the web app and waiting for the code modification is critical. One of the preventive measures that your organization can use is virtual patching.
“Instead of leaving a web application exposed to attack while attempting to modify the code after discovering a vulnerability, virtual patching actively protects web apps from attacks, reducing the window of exposure and decreasing the cost of emergency fix cycles until you’re able to patch them,” Imperva said.
Additional Preventive Measures
The Apache Software Foundation said in a statement, “We are sorry to hear news that Equifax suffered from a security breach and information disclosure incident that was potentially carried out by exploiting a vulnerability in the Apache Struts Web Framework.”
The not-for-profit organization, however, said that majority of the breaches that came to the organization’s attention are “caused by failure to update software components that are known to be vulnerable for months or even years.”
The Apache Software Foundation offers the following additional recommendations to prevent data breaches arising from Apache Struts vulnerabilities:
“1. Understand which supporting frameworks and libraries are used in your software products and in which versions. Keep track of security announcements affecting this products and versions.
“2. Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months.
“3. Any complex software contains flaws. Don't build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities.
“4. Establish security layers. It is good software engineering practice to have individually secured layers behind a public-facing presentation layer such as the Apache Struts framework. A breach into the presentation layer should never empower access to significant or even all back-end information resources.
“5. Establish monitoring for unusual access patterns to your public Web resources. Nowadays there are a lot of open source and commercial products available to detect such patterns and give alerts. We recommend such monitoring as good operations practice for business critical Web-based services.”
Insider Data Breach: An Enemy Within
Last week, an international health insurance company publicly acknowledged that one of its employees stole information that affected records of 547,000 customers.
The affected company said that while the stolen records didn’t include financial or medical data, records including names, dates of birth, nationalities, contact and administrative details were stolen. The company said that the employee responsible was fired immediately after the breach was discovered and is taking appropriate legal action.
DataBreaches.net first reported the data breach of this international health insurance company when a vendor calling himself or herself on the dark web as “MoZeal” claimed that he or she has over 1 million records for sale.
When contacted about the pricing, according to DataBreaches.net, MoZeal allegedly replied:
"Thanks for your inquiry bro, but before i start talking about pricing i would just like to clarify that this medical database is the only unique db if not only one on the entire dark web market with over 1million entries and over 122 countries as a whole not to mention its come straight from one of the world class health insurance companies. so you can imagine the information is very sensitive but also exclusive."
The international health insurance company disputed the 1 million records claim, and said in a statement, “Our thorough investigation established that 108,000 policies, covering 547,000 customers, had been copied and removed. The disparity in numbers claimed and those taken, relates to duplicate copies of some records.”
This latest data breach incident shows the weakest link in cyber security: insider.
Who is an Insider
An “insider” can be anyone who has physical or remote access to your company's confidential data. Although an insider often refers to your employee, your business partner, client or maintenance contractor who has access to your company's confidential data can also be considered as an insider.
An insider can either be a malicious insider or an inadvertent insider. An inadvertent insider can be an employee who was tricked to download a malware-laden document which then gives cyber criminals access to a company’s confidential information. A malicious insider refers to anyone who snoop files, steal information, and those who appeared to have knowingly violated the law.
Extent of Insider Data Breach
IBM’s global threat intelligence report found that over 200 million financial services records were breached in 2016. Fifty-eight percent of the data breach in 2016 in the financial services sector was a result of insider attacks, while outsider attacks were only 42%. Of the 58% insider attacks, 5% of which were made by malicious insiders and 53% were made by inadvertent insiders.
The IBM report also found that in 2016 the healthcare sector was more affected by insider attacks (71%) than outsider attacks (29%). Out of the 71% insider attacks, 25% of which were malicious insider attacks and 46% were inadvertent insider attacks.
For its part, Protenus reported that 43% of the 2016 U.S. health data breaches – total of 192 incidents – were the handiwork of insiders. Of the 192 insider breaches, 99 of these incidents were a result of inadvertent insiders, 91 incidents were a result of malicious insiders, and in 2 incidents there was insufficient information to determine whether the incidents should be considered as inadvertent or malicious.
Health Data Malicious Insider Breaches Take 607 Days to Discover
According to Protenus, in 2016, the average days for healthcare organizations to discover they had a health data breach was 233 days. The most troubling part of breach discovery, according to Protenus, is in cases of malicious insiders in which the average discovery period was 607 days – more than double the typical data breach discovery period.
Protenus gives two explanations why it takes so long to discover a breach:
1. Limited Budgets and Resources
With limited budgets and resources, not all organizations will be able to detect breaches in an automated and precise manner.
3. Reactive Approach to Data Breach
Many organizations have taken a reactive approach to data breach – only worrying about breaches once they are brought to their attention by the affected party or third party like the media.
“Insiders are a very real risk to the security of patient data,” Protenus said. “The high number of breach incidents, and the fact that these small-scale breaches can often go undetected, make these breaches especially devastating.”
How to Prevent Insider Data Breach
Here are two ways to prevent insider data breach:
1. Educate Employees
According to IBM, the reality that the cyber insider attacks targeting the healthcare and financial service sectors were largely the result of inadvertent insiders may be due to these industries having a greater susceptibility to phishing attacks.
Phishing attack happens when cyber criminals try to trick you into sharing personal or work-related information online. Cyber criminals typically use email, ads, or sites that appear similar to sites you already use as common phishing methods. An email that appears like it’s from your bank requesting that you confirm your bank account number is an example of phishing.
One way to prevent inadvertent insider attacks is by educating employees – through in-person instruction, video, webinars – about phishing and how to avoid becoming a victim.
2. Automation and Preventative Controls
To prevent data breaches both from malicious and inadvertent insiders, it pays to invest in automated data breach detection tool. If an organization only depends on one or two persons to detect data breach, it will take some significant time before the breach can be discovered. With automation, the threat can be detected immediately and in a precise manner.
“We predict that 2017 will be the Year of Insider Breach Awareness, with organizations realizing that this constant and significant problem has gone unaddressed for too long, with the focus for the last couple of years being more about catching up on external threats,” Protenus said.
While the great majority of our business partners, employees, clients and contractors pose no threat, it pays to be proactive in detecting data breaches. While it takes only a few minutes to steal data, it can take months and years to recover data and rebuild positive business reputation.
When you need to protect your data against the insider threats, and don't have in-house expertise, please contact us and we will be happy to help.
Steve E. Driz