Tag Archives: breach

British Airways data breach may be the work of Magecart

The British Airways data breach may have been the handiwork of the threat actor group known as Magecart.

Security researchers at the threat intelligence company RiskIQ Inc., reported that they suspect Magecart was behind the late August British Airways data breach, based on their analysis of the evidence. The Magecart group focuses on online credit card skimming attacks and is believed to be behind the Ticketmaster data breach discovered in June 2018.

British Airways reported it had suffered a breach on Sept. 6 that affected around 380,000 customers. The company said personal and payment information were used in payment transactions made on the website and the mobile app between Aug. 21 and Sept. 5.

In a blog post published a week later, RiskIQ researcher Yonathan Klijnsma said that because the British Airways data breach announcement stated that the breach had affected the website and mobile app but made no mention of breaches of databases or servers, he noticed similarities between this incident and the Ticketmaster breach.

The Ticketmaster breach was caused by a web-based credit card skimming scheme that targeted e-commerce sites worldwide. The RiskIQ team said that the Ticketmaster breach was the work of the hacking group Magecart, and was likely not an isolated incident, but part of a broader campaign run by the group.

The similarities between the Ticketmaster breach and the reports of the British Airways data breach led Klijnsma and the RiskIQ team to look at Magecart’s activity.

“Because these reports only cover customer data stolen directly from payment forms, we immediately suspected one group: Magecart,” Klijnsma wrote. “The same type of attack happened recently when Ticketmaster UK reported a breach, after which RiskIQ found the entire trail of the incident.”

Klijnsma said they were able to expand the timeline of the Ticketmaster activity and discover more websites affected by online credit card skimming.

“Our first step in linking Magecart to the attack on British Airways was simply going through our Magecart detection hits,” Klijnsma explained. “Seeing instances of Magecart is so common for us that we get at least hourly alerts for websites getting compromised with their skimmer-code.”

He noted that in the instance of the British Airways data breach, the research team had no notifications of Magecart’s activity because the hacking group customized their skimmer. However, they examined British Airways’ web and mobile apps specifically and noticed the similarities — and the differences.

The fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets.
Yonathan Klijnsmathreat researcher, RiskIQ

“This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately,” Klijnsma wrote. “This particular skimmer is very much attuned to how British Airway’s (sic) payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.”

Klijnsma also said it was likely Magecart had access to the British Airways website and mobile app before the attack reportedly started.

“While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets,” he wrote.

Magecart, RiskIQ noted, has been active since 2015 and has been growing progressively more threatening as it customizes its skimming schemes for particular brands and companies.

In other news

  • President Donald Trump signed an executive order this week that imposes sanctions on anyone who attempts to interfere with U.S. elections. After Russian interference in the 2016 U.S. presidential election, there are fears that there will be further interference in the upcoming 2018 midterm election. In response to those fears, Trump signed an executive order that sanctions would be placed on foreign companies, organizations or individuals who have interfered with U.S. elections. The order says that government agencies must report any suspicious, malicious activity to the director of national intelligence, who will then investigate the report and determine its validity. If the director of national intelligence finds that the suspect group or individual has interfered, there will be a 45-day review and assessment period during which the Department of Justice and Homeland Security will decide whether sanctions are warranted. If they are, the foreign group or individual could have their U.S. assets frozen or be banned from the country.
  • A vulnerability in Apple’s Safari web browser enables attackers to launch phishing attacks. Security researcher Rafay Baloch discovered the vulnerability and was also able to replicate it in the Microsoft Edge browser. Baloch published the proof of concept for both browser vulnerabilities early this week, and while Microsoft had addressed the issue in its August Patch Tuesday release — citing an issue with properly parsing HTTP content as the cause — Apple has yet to issue any patches for it. The vulnerability in Safari iOS 11.3.1 could thus still be used to spoof address bars and trick users into thinking they are visiting a legitimate site that is actually malicious.
  • The hacker known as “Guccifer” will be extradited to the U.S. to serve a 52-month prison sentence. A Romanian court ruled that the hacker, who is known for exposing the misuse of Hillary Clinton’s private email server before the 2016 U.S. presidential election and whose real name is Marcel Lehel Lazar, will be extradited to America to serve his 52-month sentence after finishing his seven-year sentence in Romania — his home country. Lazar pleaded guilty in May 2016 to charges of unauthorized access to a protected computer and aggravated identity theft. Lazar is believed to have hacked into the accounts of around 100 people between 2012 and 2014, including former Secretary of State Colin Powell, CBS Sports’ Jim Nantz and Sidney Blumenthal, a former political aide to Bill Clinton and adviser to Hillary Clinton.

Missouri hospital sued over medical records breach

A hospital in Missouri faces a lawsuit after a medical records breach occurred as a result of an email phishing scam, something that’s difficult to protect against within healthcare organizations, according to a security expert.  

In January, Children’s Mercy Hospital in Kansas City, Mo., notified 63,049 individuals who were potentially affected by the medical records breach, according to Jake Jacobson, Children’s Mercy director of public relations.

An investigation led by the hospital determined that the mailbox accounts of four of five affected employees had been downloaded by unauthorized individuals. According to the notification, information accessed during the incident varied by individual, but could include information such as medical record number, first and last name, date of birth, gender, age, height, weight, body mass index, admission and discharge date, procedure date, diagnostic and procedure codes, demographic information, clinical information, conditions and diagnosis, and other treatment information and identifying or contact information.

Fight back with email screening tools

Security expert Larry Ponemon said a number of healthcare providers are particularly susceptible to phishing scams because cybersecurity is not their “highest priority” and they often lack a “good governance process” for controlling data access. Ponemon is the founder of Ponemon Institute, which studies data protection and information security.

“It seems like the healthcare industry, healthcare providers [are] the most vulnerable relative to the industries we study,” Ponemon said.

Within the healthcare industry there’s “not really a great technology that could identify a phishing email,” Ponemon said. He noted that implementing employee training and installing email screening tools that scour incoming emails, attachments and embedded URLs to identify potential phishing attacks could go a long way toward keeping such incidents at bay.

It seems like the healthcare industry, healthcare providers [are] the most vulnerable relative to the industries we study.
Larry Ponemonfounder, Ponemon Institute

“A lot of phishing scams I’ve seen have not been all that difficult to see,” Ponemon said. “If you look at the information, read the link, you can guess with about 90% accuracy that basically this is not real and [is] likely to be a phishing email. But people in healthcare are under a lot of pressure, so when they get an email they don’t necessarily stop and check the terms in each email.”

Additionally, Ponemon said healthcare organizations often operate a “flat network,” instead of having layers, meaning when something happens in one device, it can spread very quickly to multiple devices, which he described as a “lateral infection.”

“Malware infections on one system can actually touch hundreds or even thousands of systems in the world of IoT; in healthcare everything is about an IoT device,” Ponemon said. “That’s why it’s easy for bad stuff, malware, phishing scams, to spread quickly.”

Jacobson, with Children’s Mercy, said the hospital has taken steps to protect against further incidents, including implementing additional technical control of multifactor authentication. Additionally, the hospital has installed a call center and informational webpage to provide answers to families who might have been affected and is offering free identify theft protection to those families.

Medical records breaches not new

The lawsuit against Children’s Mercy Hospital was filed by the firm McShane & Brady in July. Attorney Maureen Brady said the firm would like to see medical records breaches stopped.

“It’s very hard because you can’t unring that bell,” Brady said. “Once the information is out, it’s out forever; you can’t get it back … the anxiety and embarrassment and humiliation that goes along with this type of disclosure is astronomical.”

The threat of a medical records breach occurring is not new to the healthcare community. Though 2017 saw fewer massive health data breaches compared to 2016, 5.6 million Americans suffered from a medical records breach, an average of at least one medical records breach per day throughout the year, according to data released last year by Protenus.

In addition to the newly filed lawsuit, Children’s Mercy Hospital has faced other lawsuits in the past for medical records breaches.

Yale data breach discovered 10 years too late

Yale University discovered it suffered a data breach — 10 years ago.

The Yale data breach occurred at some point between April 2008 and January 2009, but officials are unsure exactly when. The Yale data breach included sensitive data such as names, Social Security numbers and birth dates on an unknown number of people, as well as some email addresses and physical addresses.

Because the Yale data breach happened so long ago, the University claimed it did not have much information on how it occurred. In its announcement of the breach, Yale noted that in 2011, the school’s IT “deleted the personal information in the database as part of an effort to eliminate unneeded personal information on Yale servers, but the intrusion was not detected at that time.”

The Yale data breach was not discovered until June 2018 when the school’s IT was “testing its servers for vulnerabilities and discovered a log that revealed the intrusion.”

Ryan Wilk, vice president at NuData Security, said the data included in the breach was more than enough to put users at risk.

“Although financial information was not exposed, even having your Social Security number, name, address and date of birth stolen can still cause problems,” Wilk wrote via email. “Cybercriminals can use this information to create a complete profile of students. Add a bit of social engineering, and they can start cracking all types of accounts and even open up new accounts in the students’ names.”

The school said it notified those students, alumni, faculty and staff memers affected by the breach and has offered identity monitoring services.

Zach Seward, CPO and executive editor at Quartz, was one victim in the Yale data breach, and he relayed his story on Twitter.

Wilk said it might not be Yale’s fault for not discovering the breach sooner.

“Malicious actors are learning not only to access a system but also to do it without leaving a trace. This extreme sophistication results in hard-to-uncover breaches that can take a long to reveal. We encourage companies and organizations to monitor their security system constantly and to stay alert for any unusual activity,” Wilk wrote. “Even if they’ve checked unusual activity thousands of times and it turned out to be nothing risky, the next time that anomaly may just be your cybercriminal at work.”

Ponemon: Mega breaches, data breach costs on the rise

The Ponemon Institute’s latest study on data breach costs highlights the rise of what it calls “mega breaches,” which are the worst types of security incidents in terms of costs and data exposed.

The “2018 Cost of a Data Breach Study: Global Overview,” which was sponsored by IBM Security, details the cost enterprises incur after falling victim to a data breach and found that the average total cost of a data breach rose from $3.62 to $3.86 million — a 6.4% increase — with $148 as the average cost per lost or stolen record. This year’s report also features data on the biggest breaches, which Ponemon and IBM have termed “mega breaches.”

“Mega breaches are where there are more than one million records that have been breached,” Limor Kessem, executive security advisor at IBM, told SearchSecurity. “And then we looked at up to 50 million [records exposed], although it could be up to infinity these days. Just last year there were 2.9 billion records exposed, and in 2016 there were over 4 billion records exposed, so a breach can be millions and hundreds of millions as well.”

Given that this is the first year that Ponemon has included mega breaches in its annual report and that there were only 11 mega breaches that occurred, there was no data from past years to compare these findings to. However, the report found that a mega breach with the minimum of 1 million records exposed lead to an average total cost of $40 million, while a mega breach with 50 million records exposed had an average cost of $350 million.

 After collecting data from more than 2,500 separate interviews that were conducted over a 10-month period with 477 enterprises, the study concluded that mega breaches take 365 days to identify, which is almost 100 days shorter than typical breaches (266 days to detect).

The Ponemon study also discovered that “data breaches are the most costly in the United States and the Middle East and least costly in Brazil and India,” given that the average total in the United States was $7.91 million. “The U.S. topped the chart at almost twice the international average,” Kessem said. “Of course there are currency differences, but the big thing in the U.S. is loss of business.”

Kessem further noted that when consumers were interviewed, 75% of them said they would not want to do business with a company that they didn’t trust to safeguard their data.

“People in the U.S. are very aware of breaches,” she said. “They topped the charts in awareness of how [data breaches] happen and how many happen and so on. In other words, we know breaches are happening and we wouldn’t like to do business with those who can’t protect our data and I think this was a major cost center for the U.S. in terms of data breaches.”

In addition to the cost per record, companies also experience direct and indirect costs after a breach. For example, Canada has the highest direct costs, according to the report, but the U.S. had the highest indirect cost at $152 per capita, which includes “employee’s time, effort and other organizational resources spent notifying victims and investigating the incident.” The study also highlights the idea that breaches in the healthcare industry are the most expensive and have been consistently so for several years, according to Kessem, considering the amount of personal data healthcare companies possess. 

“Typically [healthcare companies] have a lot of personally identifiable information,” she said. “They’re also going to have payment information and contact information — the more information is attached to an identity, the more it is going to cost.”

Post-breach consequences are further addressed in the report, which states, “Organizations that lost less than one percent of their customers due to a data breach resulted in an average total cost of $2.8 million.” However, the Ponemon study also noted that an incident response team has the ability to reduce the cost by as much as $14 per compromised record — a small change that would greatly add up at the end of a breach.

ComplyRight data breach affects 662,000, gets lawsuit

A data breach at ComplyRight, a firm that provides HR and tax services to businesses, may have affected 662,000 people, according to a state agency. It has also prompted a lawsuit, which was filed in federal court by a person who was notified that their personal data was breached. The lawsuit seeks class-action status.

The ComplyRight data breach included names, addresses, phone numbers, email addresses and Social Security numbers, some of which came from tax and W-2 forms.

ComplyRight’s services include a range of HR products, such as recruitment, time and attendance, as well as an online app for storing essential employee data. This particular attack was directed at its tax-form-preparation website. Hackers go after customer and employee data. The Identity Theft Resource Center 2018 midyear report, for instance, lists every known breach so far this year. It said the compromised data is a shopping list of HR managed data.

Company: No more than 10% of customers affected

The breach occurred between April 20 and May 22, and the company notified affected parties by mail.

ComplyRight, in a posted statement, said “a portion (less than 10%)” of people who have their tax forms prepared on its web platform were affected by a cyberattack, but it did not say how many customers were affected by its breach. The company knows the data was accessed or viewed, but it was unable to determine if the data was downloaded, according to the firm’s statement.

But the state of Wisconsin, which publishes data breach reports, has shed some light on the scale of the impact. It reported the ComplyRight data breach affected 662,000 people — including 12,155 Wisconsin residents. A spokesman for Wisconsin Department of Agriculture, Trade and Consumer Protection said this figure was provided verbally to the state by an attorney for ComplyRight.

Rick Roddis, president of ComplyRight, based in Pompano Beach, Fla., said in an email that the firm won’t be commenting, for now, beyond what it has posted on the site.

Among the steps ComplyRight said it took was the hiring of a third-party security expert who conducted a forensic investigation. The firm is also offering credit-monitoring services to affected parties.

Security expert Nikolai Vargas, who looked at the firm’s statement, said ComplyRight “is doing the bare minimum in terms of transparency and informing their clients of the details of the security incident.”

“In cases of a data breach, it is important to disclose how long the exposure occurred and the scope of the exposure,” said Vargas, who is CTO of Switchfast, an IT consulting and managed service provider based in Chicago. ComplyRight stating that “less than 10%” of individuals were affected “doesn’t really explain how many people were impacted,” he added.

“Technical details are nice to have, but they’re not always necessary and may need to be withheld until protections are put in place,” Vargas said.

Federal suit alleges poor protection

[ComplyRight] is doing the bare minimum in terms of transparency and informing their clients of the details of the security incident.
Nikolai VargasCTO at Switchfast

The ComplyRight data breach was first reported by Krebs on Security, which had heard from customers who had received breach notification letters.

Susan Winstead, an Illinois resident, received the notification from ComplyRight on July 17, outlining what happened. She is the plaintiff in the lawsuit filed July 20 in the U.S. District Court for the Northern District of Illinois.

The lawsuit faults ComplyRight for allegedly not properly protecting its data and not immediately notifying affected individuals, and the suit seeks damages for the improper disclosure of personal information, including the time and effort to remediate the data beach. 

Company faced difficult detective work

Another independent expert who looked at ComplyRight’s notice, Avani Desai, said the company “followed best practice for incident response.”

With a cyberattack, one of the most difficult processes initially is identifying that there was an actual attack and the true extent of it, said Desai, president of Schellman & Company, a security and privacy compliance assessor in Tampa, Fla. It’s important to ask the following questions early: Was there sensitive information that was involved? Which systems were exploited? The firm quickly hired a third-party forensic group, she noted.

“ComplyRight locked down the system prior to announcing the breach, which is important, because when organizations announce too quickly, we see copycat attacks hit the already vulnerable situation,” Desai said.

Mike Sanchez, chief information security officer of United Data Technologies, an IT technology and services firm in Doral, Fla., said the things the firm did right are “they disabled the platform and performed a forensic investigation to understand the cause of the breach, as well as the breadth of the malicious actor’s actions.”

But Sanchez said the firm’s statement, which he described as a “very high-level summary,” lacked many specifics, including the exact flaw that was used to gain access to the data.

The Identity Theft Resource Center reported that as of the first six months of this year, there were 668 breaches exposing nearly 22.5 million records.

Ticketmaster breach part of worldwide card-skimming campaign

The attack that caused the Ticketmaster breach of customer information last month was actually part of a widespread campaign that’s affected more than 800 e-commerce sites.

According to researchers at the threat intelligence company RiskIQ Inc., the hacking group known as Magecart has been running a digital credit card-skimming campaign that targets third-party components of e-commerce websites around the world.

At the end of June, ticket sales company Ticketmaster disclosed that it had been compromised and user credit card data had been skimmed. A report by RiskIQ researchers Yonathan Klijnsma and Jordan Herman said the Ticketmaster breach was not an isolated incident, but was instead part of the broader campaign run by the threat group Magecart.

“The target for Magecart actors was the payment information entered into forms on Ticketmaster’s various websites,” Klijnsma and Herman wrote in a blog post. “The method was hacking third-party components shared by many of the most frequented e-commerce sites in the world.”

A digital credit card skimmer, according to RiskIQ, uses scripts injected into websites to steal data entered into forms. Magecart “placed one of these digital skimmers on Ticketmaster websites through the compromise of a third-party functionality supplier known as Inbenta,” the researchers said, noting specifically that Ticketmaster’s network was not directly breached.

RiskIQ has been tracking the activities of Magecart since 2015 and said attacks by the group have been “ramping up in frequency and impact” throughout the past few years, and Ticketmaster and Inbenta are not the only organizations that have been affected by this threat.

According to Klijnsma and Herman, Inbenta’s custom JavaScript code was “wholly replaced” with card skimmers by Magecart.

“In the use of third-party JavaScript libraries, whether a customized module or not, it may be expected that configuration options are available to modify the generated JavaScript. However, the entire replacement of the script in question is generally beyond what one would expect to see,” they wrote.

RiskIQ also noted that the command and control servers to which the skimmed data is sent has been active since 2016, though that doesn’t mean the Ticketmaster websites were affected the entire time.

The Ticketmaster breach is just “the tip of the iceberg” according to Klijnsma and Herman.

“The Ticketmaster incident received quite a lot of publicity and attention, but the Magecart problem extends to e-commerce sites well beyond Ticketmaster, and we believe it’s cause for far greater concern,” they wrote. “We’ve identified over 800 victim websites from Magecart’s main campaigns making it likely bigger than any other credit card breach to date.”

In other news:

  • The U.K.’s Information Commissioner’s Office (ICO) is fining Facebook £500,000 — more than $600,000 — for failing to protect its users’ data from misuse by Cambridge Analytica. The ICO is also going to bring criminal charges against the parent company of Cambridge Analytica, which gathered the data of millions of Americans before the 2016 presidential election. The ICO has been investigating data privacy abuses like the one by Cambridge Analytica — which has since gone out of business — and its investigations will continue. The fine brought against Facebook is reportedly the largest ever issued by the ICO and the maximum amount allowed under the U.K.’s Data Protection Act.
  • Apple will roll out USB Restricted Mode as part of the new version of iOS 11.4.1. USB Restricted Mode prevents iOS devices that have been locked for over an hour from connecting with USB devices that plug into the Lightning port. “If you don’t first unlock your password-protected iOS device — or you haven’t unlocked and connected it to a USB accessory within the past hour — your iOS device won’t communicate with the accessory or computer, and, in some cases, it might not charge,” Apple explained. Apple hasn’t provided the reason for this feature, but it will make it more difficult for forensics analysts and law enforcement to access data on locked devices.
  • Security researcher Troy Hunt discovered an online credential stuffing list that contained 111 million compromised records. The records included email addresses and passwords that were stored on a web server in France. The data set Hunt looked at had a folder called “USA” — though it has not been confirmed whether or not all the data came from Americans — and the files had dates starting in early April 2018. “That one file alone had millions of records in it and due to the nature of password reuse, hundreds of thousands of those, at least, will unlock all sorts of other accounts belonging to the email addresses involved,” Hunt said. The site with this information has been taken down, so it’s no longer accessible. Hunt also said there’s no way to know which websites leaked the credentials and suggests users implement password managers and make their passwords stronger and more unique.

A DHS data breach exposed PII of over 250,000 people

A data breach at the U.S. Department of Homeland Security exposed the personally identifiable information of over 250,000 federal government employees, as well as an unspecified number of people connected with DHS investigations.

DHS released a statement Jan. 3, 2018, that confirmed the exposure of “approximately 246,167” federal government employees who worked directly for DHS in 2014. It also disclosed the breach of a database for the Office of Inspector General that contained the personally identifiable information (PII) of any person — not necessarily employed by the federal government — who was associated with OIG investigations from 2002 to 2014. This includes subjects, witnesses and complainants.

In its statement, the department emphasized the DHS data breach was not caused by a cyberattack and referred to it as a “privacy incident.”

“The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized unauthorized [sic] transfer of data,” DHS said.

The DHS data breach was initially found in May 2017 during a separate, ongoing DHS OIG criminal investigation in which it was discovered that a former DHS employee had an unauthorized copy of the department’s case management system.

However, individuals affected by the DHS data breach weren’t notified until Jan. 3, 2018. In its statement, DHS addressed why the notification process took so long.

“The investigation was complex given its close connection to an ongoing criminal investigation,” the department said. “From May through November 2017, DHS conducted a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed. These steps required close collaboration with law enforcement investigating bodies to ensure the investigation was not compromised.”

The DHS employee data breach exposed PII that included names, Social Security numbers, dates of birth, positions, grades and duty stations of DHS employees; the DHS investigative data breach exposed names, Social Security numbers, dates of birth, alien registration numbers, email addresses, phone numbers, addresses and other personal information that was provided to the OIG during investigative interviews with its agents.

DHS is offering free identity protection and credit-monitoring services for 18 months to affected individuals. The department said it has also taken steps to improve its network security going forward, including “placing additional limitations on which individuals have back end IT access to the case management system; implementing additional network controls to better identify unusual access patterns by authorized users; and performing a 360-degree review of DHS OIG’s development practices related to the case management system.”

While the affected government employees were notified directly about the breach, DHS stated, “Due to technological limitations, DHS is unable to provide direct notice to the individuals affected by the Investigative Data.”

DHS urged anyone associated with a DHS OIG investigation between 2002 and 2014 to contact AllClear ID, the Austin, Texas, breach response service retained by DHS to provide credit-monitoring and identity protection services to affected individuals.

In other news:

  • A group of senators has introduced a bill to secure U.S. elections. The Secure Elections Act is a bipartisan bill that aims to provide federal standards for election security. One measure proposed in the bill is to eliminate the use of paperless voting machines, which are regarded by election security experts as the least secure type of voting machines in use in today. Paperless voting machines don’t allow for audits, which the proposed legislation also wants to make a standard practice in all elections. The idea is that audits after every election will deter foreign meddling in American democracy like Russia’s interference in the 2016 U.S. presidential election. “An attack on our election systems by a foreign power is a hostile act and should be met with appropriate retaliatory actions, including immediate and severe sanctions,” the bill states. The bill was sponsored by Sen. James Lankford (R-Okla.) and co-sponsors Sens. Amy Klobuchar (D-Minn.), Lindsey Graham (R-S.C.), Kamala Harris (D-Calif.), Susan Collins (R-Maine) and Martin Heinrich (D-N.M.).
  • Attackers exploited a vulnerability in Google Apps Script to automatically download malware onto a victim’s system through Google Drive. Discovered by researchers at Proofpoint, the vulnerability in the app development platform enabled social-engineering attacks that tricked victims into clicking on malicious links that triggered the malware downloaded on their computer. The researchers also found the exploit could happen without any user interaction. Google has taken steps to fix the flaw by blocking installable and simple triggers, but the researchers at Proofpoint said there are bigger issues at work. The proof of concept for this exploit “demonstrates the ability of threat actors to use extensible SaaS platforms to deliver malware to unsuspecting victims in even more powerful ways than they have with Microsoft Office macros over the last several years,” the research team said in a blog post. “Moreover, the limited number of defensive tools available to organizations and individuals against this type of threat make it likely that threat actors will attempt to abuse and exploit these platforms more often as we become more adept at protecting against macro-based threats.” The researchers went on to note that, in order to combat this threat, “organizations will need to apply a combination of SaaS application security, end user education, endpoint security, and email gateway security to stay ahead of the curve of this emerging threat.”
  • The United States federal government is nearing its deadline to implement the Domain-based Message Authentication, Reporting and Conformance (DMARC) tool. In October 2016, the DHS announced it would mandate the use of DMARC and HTTPS in all departments and agencies that use .gov domains. DHS gave those departments and agencies a 90-day deadline to implement DMARC and HTTPS, which means the Jan. 15, 2018, deadline is soon approaching. According to security company Agari, as of mid-December, 47% of the federal government domains were now using DMARC, compared to 34% the month before. Another requirement within this mandate is federal agencies are required to use the strongest “reject” setting in DMARC within a year. This means emails that fail authentication tests will be less likely to make it to government inboxes — i.e., be rejected. Agari reported a 24% increase in the use of higher “reject” settings in the last month. On the flip side, Agari noted that most agency domains (84%) are still unprotected, with no DMARC policy.

Hacker behind Uber data breach was paid off through bug bounty

The hacker whom Uber reportedly paid off for its 2016 data breach has now been identified as a 20-year-old man from Florida.

The young man, who lives with his mother, was behind the Uber data breach that exposed 57 million user accounts and around 600,000 drivers, according to a Reuters’ exclusive report. The Uber hacker — whose name hasn’t been released — stole the data and then contacted Uber, which referred him to its bug bounty program. Uber then used the bug bounty program to pay the hacker $100,000 to destroy the data.

Uber’s bug bounty program is hosted by HackerOne and usually deals with smaller software bug reports that can earn between $5,000 and $10,000. HackerOne doesn’t manage Uber’s bug bounty program and thus didn’t have a say in the payment, but it does collect financial forms and a nondisclosure agreement (NDA) from those who earn bounties. Uber reportedly used the bug bounty payment to identify the hacker through the financial forms and have him sign the NDA. The ride-hailing company reportedly also performed a forensic analysis of the hacker’s computer to make sure he actually deleted the data he stole.

The data the hacker exfiltrated from the Uber data breach included names, email addresses, mobile phone numbers and driver’s license numbers, which were downloaded from AWS storage using login credentials stolen off of GitHub. The hacker reportedly paid another, unidentified, person to steal the credentials from GitHub.

In a blog post responding to the Uber data breach, the current CEO Dara Khosrowshahi noted that corporate systems and infrastructure were never actually compromised during the Uber data breach.

“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” Khosrowshahi said. “We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”

According to its sources, Reuters reported that Travis Kalanick, the CEO at the time and founder of the company, was aware of the Uber data breach and the payment made to the hacker through the bug bounty program in November 2016, despite it not being reported until November 2017.

“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

In other news

  • The three most used Android integrated development environments (IDEs) are all compromised by easily exploitable vulnerabilities. Check Point security researchers found that IntelliJ IDEA, Eclipse and Android Studio are affected by a vulnerable XML parser. For the attack to work, the user just needs to be tricked into loading a malicious XML manifest file. If that happens, the IDEs will activate files configured by the attacker. The Check Point researchers, Eran Vaknin, Gal Elbaz, Alon Boxiner and Oded Vanunu, were originally looking at possible vulnerabilities in APKTool, Android’s Application Package Tool, which they found also has the XML External Entity vulnerabilities. “Realizing the enormity of this vulnerability to the Android developer and researcher community, we extended our research to the vulnerable XML parser called ‘DocumentBuilderFactory’, which is being used in APKTool project,” the research team said in a blog post. The team also said that they reached out to the affected vendors, which all fixed the issue and released updates, so users of the vulnerable products should update immediately.
  • Researchers from Citizen Lab have found that Ethiopian dissidents around the world were targeted with emails containing spyware produced by an Israel-based cybersecurity company. The malware campaign was reportedly run by the Ethiopian government from 2016 until the present and targeted one of the Citizen Lab researchers, Bill Marczak, during his investigation into the spyware. “In the attacks we document, targets receive via email a link to a malicious website impersonating an online video portal,” the researchers explain in their report. “When a target clicks on the link, they are invited to download and install an Adobe Flash update (containing spyware) before viewing the video. In some cases, targets are instead prompted to install a fictitious app called ‘Adobe PdfWriter’ in order to view a PDF file.” The research team was then able to trace the spyware and found that it was commercial, created by an Israel-based company. “This report is the latest in a growing body of work that shows the wide abuse of nation-state spyware by authoritarian leaders to covertly surveil and invisibly sabotage entities they deem political threats,” the researchers said.
  • Google released 47 patches for Nexus and Pixel devices in this month’s Android Security Bulletin. Of the 47, 10 of the patches were for critical vulnerabilities. “The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” the Bulletin said. Four of the other critical vulnerabilities were also in the Media framework and one critical vulnerability in the system could enable a remote code execution attack. Three of the critical vulnerabilities were in Qualcomm components and are also all remote code execution flaws, though some of them had already been publicly disclosed. Other affected components are MediaTek and Nvidia.

Proposed data breach legislation could put executives in jail

Democratic senators have re-introduced the Data Security and Breach Notification Act that proposes severe consequences for enterprise executives, including jail time, for failing to notify consumers of a breach.

The proposed data breach legislation would make the willful concealment of a breach a crime that is punishable by up to five years in prison. The bill also states that a “covered entity” must provide notification to users or customers within 30 days of the discovery of the breach unless a U.S. federal law enforcement or intelligence agency exempts the entity from informing the public. The data breach legislation also provides some wiggle room for the notification deadline in order for enterprises “to accurately identify affected consumers; to prevent further breach or unauthorized disclosures; or to reasonably restore the integrity of the data system,” according to the bill.

“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” said Sen. Bill Nelson (D-FL), who sponsored the bill, in a statement. “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal.  When it comes to doing what’s best for consumers, the choice is clear.”

Nelson’s statement cited the 2016 Uber data breach, which was concealed by company officials and only recently made public. The breach exposed the names, email addresses and phone numbers for 57 million worldwide customers as well as the names and driver’s license numbers of 600,000 U.S. drivers.

Nelson first introduced the Data Security and Breach Notification Act in 2015 and introduced another version of the bill last year as well. The current version is co-sponsored by Sen. Richard Blumenthal (D-CT) and Sen. Tammy Baldwin (D-WI).

The proposed data breach legislation includes a provision that requires the Federal Trade Commission to develop new information security standards for businesses to adhere to in order to prevent breaches.

A federal data breach law could potentially replace individual state laws such California’s SB-46 data breach notification statute. Enterprises, however, would still have to contend with the data breach notification laws in other countries, which in some cases are much stricter. For example, the European Union’s General Data Protection Regulation will require companies to notify authorities of a data breach within 72 hours when the law goes into effect in May.

Push for public, private sector cybersecurity cooperation continues

Recent events such as the Equifax data breach and allegations regarding Russian interference with the 2016 presidential election are sobering reminders of cybersecurity holes in both the public and private sectors.

Cooperation between government and businesses has long been heralded as vital to protect digital assets and improve U.S. cybersecurity, which is why such cooperation is becoming part of U.S. cybersecurity strategy, said acting FBI Director Andrew McCabe.

“There is no law enforcement or exclusive intelligence answer to these questions,” McCabe said about cybersecurity strategy during the Cambridge Cyber Summit hosted by CNBC and the Aspen Institute earlier this month. “We’ve got to work together with the private sector to get there.”

Achieving this goal was the main topic presented at the annual conference, which examines how the public and private sectors can work together to safeguard economic, financial and government assets, while also maintaining convenience and protecting online privacy.

Regulations are usually anathema to a tech industry that worries cybersecurity mandates hinder the innovation upon which their industry thrives. There has been headway of late, however: In response to claims that Russian agents bought social media advertisements designed to sow discord in American politics, Facebook CEO Mark Zuckerberg announced policy changes to “protect election integrity.”

McCabe admitted that the relationship between the federal government and the private sector has had its ups and downs through the years. Edward Snowden’s disclosures about U.S. digital surveillance practices and law enforcement’s confrontation with Apple over the San Bernardino, Calif., shooter’s iPhone, for example, have hindered public and private sector cybersecurity cooperation.

“I see things like this and I hope that we are now edging back into a warmer space … to actually work on solutions,” McCabe said.

The public sector is doing its part to help facilitate these partnerships: The New Democrat Coalition has established a Cybersecurity Task Force that promotes “public-private sector cooperation and innovation” designed to protect against cyberattacks. The U.S. House of Representatives recently passed the National Institute of Standards and Technology (NIST) Small Business Cybersecurity Act, which sets “guidelines,” as opposed to mandatory requirements, for small businesses.

If you try to put too much constraint and mandatory check boxes on the security of a device, you will find that the manufacturers are going to be slowed in their ability to innovate.
Rob Joycecybersecurity coordinator, U.S. White House

Incentives are a big part of these types of efforts. Last month, senators introduced a cybersecurity bill that would establish a reward program designed to incentivize private researchers to identify security flaws in U.S. election systems.

These types of partnerships are beneficial for both sides, said Rod Rosenstein, deputy attorney general at the Department of Justice, at the Cambridge Cyber Summit. Law enforcement investigations can help a company understand what happened, share context and information about related incidents, and even provide advice to shore up defenses if the hackers act again, he said.

“We can inform regulators about your cooperation, and we are uniquely situated to pursue the perpetrators through criminal investigation and prosecution,” Rosenstein said. “In appropriate cases that involve overseas actors, we can also pursue economic sanctions, diplomatic pressure and intelligence operations ourselves.”

International efforts, global companies

The “overseas” variable doesn’t end with nefarious foreign actors hacking U.S. companies. Public and private sector cybersecurity cooperation is further complicated in the global economy with enterprises that have customers, headquarters and employees stationed all over the world. This makes it difficult to incorporate cybersecurity best practices as digital information moves across borders.

Different countries have different rules when it comes to handling digital information, leaving international organizations to navigate conflicting international laws.

“They have different threats to their systems, to their data, to their employees in many different places,” McCabe said. “I think we have a clear and important role in helping them address those threats and those challenges.”

McCabe was quick to add, however, that U.S.-based security professionals and law enforcement prioritize U.S. cybersecurity standards.

“Although we acknowledge that [global companies] have responsibilities in other parts of the world, we expect them to live up to our norms of behavior and in compliance with U.S. law and all the ways that that’s required here in the United States,” McCabe said.

The power of voluntary enforcement

When it comes to cybersecurity, White House Cybersecurity Coordinator Rob Joyce said he is a fan of “voluntary enforcement” among industry. If industry groups can rise up to identify unique risks and push best cybersecurity practices, it could create a sort of peer pressure for other organizations to step up their cybersecurity game, he said at the summit.

The goal is to give consumers the opportunity to choose companies that have voluntarily implemented well-planned cybersecurity best practices and compliance standards, as opposed to security protocols that are slapped together just so new products can be put on the market quickly, he said.

“We would expect industry groups to start labeling themselves as compliant and then consumers to make smart choices about what they’re buying,” Joyce said.

Forcing cybersecurity standards on the technology industry through government regulation poses problems, Joyce said, mostly because the industry evolves so fast. A cybersecurity standard that provides effective data protection and enforcement today could quickly become obsolete when the next iteration of technology is introduced.

“The problem with forcing it through government regulation is you snap a chalk line today, and this industry moves fast,” Joyce said. “You impede good security because people have to do the thing to regulate it instead of doing the thing that’s right.”

The trick is to find that balance between innovation and cybersecurity protection, Joyce added.

“If you try to put too much constraint and mandatory check boxes on the security of a device, you will find that the manufacturers are going to be slowed in their ability to innovate and give us that next better product,” Joyce said. “But we’ve got to have the ability to drive that next better product to have some base security.”