The niner noteworthy and the 12 recaps of 2016 (day 2)

Day 2 of the recap series is about data breaches. Not the absolute humongous ones from Yahoo, I preserve those for a more in-depth article, but there are enough of them left to fill today’s instalment.

In chronological order:

WikiLeaks uploads 300+ pieces of malware among email dumps

Freedom. Justice. Openness. And some entirely avoidable p0wnage for good luck

With the somewhat dubious role Wikileaks has played in the US elections, it can be argued that this organisation is just posting everything it can get without any checks and balances on the data it is supposedly “leaking” for the benefit of transparency etc. etc.
Unless they are going to tell us they got infected themselves as well, I suspect they never even looked at the contents of the dump in the first place.
source: The Register (external link)

Stolen devices to blame for many breaches in the financial services sector


An interesting insight in the types of attacks and specifically the attack or leak factors. Where most people would think hacking would be the biggest factor, it seems to be only 1 in 5 breaches can be contributed to this factor. That whilst lost or stolen devices contribute to nearly 1 in 4 breaches.
Another interesting fact is that organisations with large security operations centers have an extra inherent weakness in it’s fragmentation of knowledge between the different teams of specialist. Although I must admit that having enough specialist with overarching knowledge of the entire IT landscape is merely impossible, multi-discipline individuals and teams must be the main focus to make sense of multiple alerts from different components or you may mis an attack altogether.
source: Help Net Security (external link)

Could you be sending your firm’s cash to fraudsters?


Your typical social engineering trickery. Eager to please and no company culture to be able to challenge the request. Yes there are a lot of technical solutions out there that will certainly have their merit in preventing fraudulous transactions, in my opinion training employees to spot the fakes and a company culture that will allow them to challenge even the highest board level to make sure the request is valid is the best defence. And yes you should challenge the person who supposedly send you the request in person or by phone, never by e-mail and certainly not as a reply on the fraudsters initial message.
source: BBC News (external link)

Central Ohio Urology Data Security Incident Affects 300K


What can I say, beefing up security after a breach is a good idea obviously but I would be interested in why this happened in the first place. One of the main questions here would be if this was an accident or was the data put on the internet accessible drive on purpose?
The most interesting bit is that “network monitoring software was installed”, which clearly means that none was present before. Consider this fact for a moment whilst you think of the type of data, medical information, this organisation stored and reach your own conclusion.
source: Healthcare Information Security (external link)

The Red Cross Blood Service: Australia’s largest ever leak of personal data


Indeed no hack, but extremely careless. And yes I can imagine all the circumstances that may have lead to this situation. Let this be a valuable lesson for all who read this and can relate it to their own data practices. Never think it can’t happen to your organisation too because it can and if you are not careful it will.
Also kudos to Troy Hunt here for his extremely ethical and professional way of handling this incident.
source: Troy Hunt(external link)

Subpoena demands release of audit showing Anthem’s cybersecurity lapses


Sweeping your mistakes under the carpet is never a good idea to hide you are actually accountable and screwed up. But that’s not the most interesting bit of this story. That falls to the fact that the OPM (Office of Personnel Management) did the audits and was ultimately accountable for Anthem handled the data correctly. And yes that’s the same organisation who couldn’t hold on to 20+ million records of security clearances and fingerprints in 2015 themselves. All together and interesting combination of circumstances.
source: Crain Communications (external link)

Three UK suffers major data breach via compromised employee login


Ah yes, your standard insider threat attack factor. Unfortunately indeed sometimes much easier then trying to bypass more hardened security systems from the outside.
Something that caught my attention, as with many other breaches btw, the company stresses that “no financial information was obtained”. Don’t these people really understand that other personal data may very well be more valuable then those pesky financial details?
And one final bit, although I doubt the attackers did that on purpose, it is quite funny that three suspects were detained for this breach of Three UK.
source: TechCrunch (external link)

Passengers ride free on SF Muni subway after ransomware infects network, demands $73k

Office admin systems derailed by malware

Another ransomware attack, this time the SFO public transport system which joins the illustrious ranks of infected organisations together with a lot of hospitals.
Who things can be learned from this attack, apart from probably a bit of security awareness. There was no network segregation in place to prevent the worm-style malware to spread on the networks and apparently no protection software was installed either or if it was it failed.
yes I know this particular strain of malware screws up the MBR (master boot record) of the harddrive, however Talos (Cisco owned) has a free open source tool available to protect the MBR.
source: The Register (external link)

San Francisco Rail System Hacker Hacked

Apparently at least they had good backups which were not effected. Together with a lot more information and some insightful analyses this article by Brian Krebs is certainly worth the read Krebs on Security (external link)

‘Millions of Dailymotion account details taken’


According to this firm usernames and e-mail addresses are not “personal data”, if as according to Leakedsource these were indeed part of the leaked data I partially disagree. Partially because usernames could be an interesting discussion, e-mail addresses certainly are personal data.
So another call for users to change their passwords. Then again, as long as their are no viable alternatives for username/password combinations to access online profiles, this issue won’t go away easily or quickly. And no, specifically on these kind of sites, biometrics is not the answer here either.
One interesting note is that apparently more then 85 million accounts are compromised but only 18 million passwords, yes they were hashed, were stolen.
source: BBC News (external link)

Other articles in this series