The niner noteworthy stories of 2017 (week 12)

These are the noteworthy stories, in no particular order, that peaked my interest last week.

Saks Fifth Avenue Exposed Personal Info On Tens Of Thousands Of Customers

One quote from the article practically says it all

“We take this matter seriously,” a Hudson Bay Company spokesperson told BuzzFeed News. “We want to reassure our customers that no credit, payment, or password information was ever exposed. The security of our customers is of utmost priority and we are moving quickly and aggressively to resolve the situation, which is limited to a low single-digit percentage of email addresses. We have resolved any issue related to customer phone numbers, which was an even smaller percent.”

First of all if they indeed would take this “matter seriously”, this incident of publishing all this information certainly doesn’t show it. Secondly, why are all these companies immediately stressing that no financial information has been compromised? For some reason creditcards that can easily be blocked and transactions disputed are more vulnerable then profiling information like IP addresses, E-mail addresses, phone numbers and product codes which can easily be converted to products to profile somebody’s interests, hobbies and/or profession.
This information is far more valuable then the creditcard numbers that were not leaked.
source: BuzzFeed (external link)

Spam hitting Germans with personalized messages

And with companies disregarding leaks of personal identifiable information (PII), like I mentioned above, these companies are actively contributing to the successfulness of these kind of spam attacks by leaking client information on the web.
Does your company actually know what privacy (PII) data you are collecting and how well it is protected? Are you largely ignoring the new European privacy laws because it’s all too difficult and you are not aware of the fines associated with mishandling this kind of data?
If you recognise yourself in any or all of these questions, then it’s time to contact me immediately for assistance and advice.
source: SC Magazine US (external link)

New Yorkers See 60% Rise in Data Breaches in 2016

To ultimately make my point note the types of breaches apparently being reported in New York. All of them had to do with financial information and/or social security numbers. Although this probably is the tip of the iceberg of the total amount of breaches actually happening, the fact that 60% more breaches were reported can actually lead to two conclusions: either companies are paying more attention and therefore more breaches are being detected without the total amount actually going up or the total amount of breaches is going up even more then 60% and therefore just more of them are detected.
The first reasoning is more positively inclined then the second reason obviously. However, with about 40% of the breaches being contributed to negligence is not very hopeful for which of the two variants is the more likely culprit.
source: Dark Reading (external link)

Web hacking only getting worse as webmasters fail to patch ageing code

The same old story that holds true for all your other systems, also holds true for your websites and webservers: KEEP PATCHING! The problem is that a lot of people actually creating software never heard or don’t have the time and skills to create secure code from the start.
This is a major issue we won’t get rid of anytime soon I’m afraid. Modern development techniques like agile, scrum and devops only make matters worse as they are never implemented on a solid basis and understanding of designing and writing secure programs and code in the first place.
Adding to the situation that software companies almost always are getting away with delivering vulnerable products is not helping either.
Why do we accept it from them whilst on the other hand we go nuts over car makers cheating on diesel emissions or punish airline manufacturers if their plane turns out to have a fatal flaw which is the cause of a major accident?
Do we really think in this digitalised world that software can’t cause deaths on a massive scale like crashing planes? Keep accepting insecure software and you will find out sooner rather then later that it’s certainly feasible.
source: SC Magazine UK (external link)

Millions of SAP users at risk from ransomware due to GUI flaw

A prime example from the trouble you can get into when deploying insecure code as discussed above. As patching is extremely time consuming because this is the client side being vulnerable, most companies probably will wait until the next major patching maintenance window to roll these SAP ones out as well. That is if they even have a structured patch management process fully implemented in the first place.
And then there is the ad-hoc method which will patch systems a couple at a time to limit the impact to the often overworked IT department, leaving the remaining workstations vulnerable to attack.
Would a defence in depth strategy lessen the chance of infection? It probably will, but if companies would have that in place then patch management and probably even centralised patch rollouts would be part of such a strategy and this patch cycle would not be an issue to begin with.
source: V3 (external link)

Malware ‘disguised as Siemens software drills into 10 industrial plants’

Even authorised remote access can be a problem, is your ICS vendor fully secured and ready to face infections with any type of malware? Or is it just another attack factor and opportunity into your internal Operational Technology network segment?
USB sticks can breach a air-gapped networked obviously, but with senior management wanting more and more data out of the operational environment in real time as well wanting to send steering commands back, these air gaps are slowly but surely disappearing in industrial environments.
If those environments would be running specialised software on specialised hardware the effort required to attack them would be higher then in the current situation. Why are these networks facing the same, plus some extra, threats as your office IT systems? Because they are running on the same commodity hardware and software without the benefits of being easily patchable in a timely fashion.
This calls for an entirely different paradigm on securing these networks shifting to additional methods instead of the traditional IT office environment techniques. But this takes time, effort and a solid understanding of what is possible without hindering the industrial operations.
source: The Register (external link)
On a side-note: it is interesting that it’s again Siemens PLC’s that are the target here. Similarly as in the Student attack. Although if these two are related is unknown at the time of writing. But since I don’t believe in coincidence, it would not surprise me if there was a link after all. It would not be the first offspring from the Student cyber weapon which has even evolved to a strain of ransomware in 2017.

How fake data could lead to failed crops and other woes

I ask you: what would a hacker obtain if a produce process is derailed and the impact is felt over months and years? Most cyber criminals are in the business for the quick gain not the long term effects. Except for nation states obviously, but with the ever more globalised economy these kind of attacks on economies would have a certain nock-on effect to their own country as well.
Changing small bits in contracts however that could potentially lose a company big money is a more likely scenario and as has been stated, encryption could be a solution.
However, the management of cryptographic keys is tedious work and not very trivial as the next story will show all to clearly.
Another issue is obviously the fact that employees need to be able to work with such cryptographic or DRM (digital rights management) systems and not constantly are finding ways to circumvent these. This is a constant struggle and can only be solved by effective security awareness programs that educate people to do the right things as well as explain why it’s necessary too. This last bit is almost always forgotten or left out on purpose.
Need help with your security awareness strategy? Please contact me to discuss the possibilities.
source: BBC News (external link)

Google and Symantec clash on website security checks

The answer why Symantec was singled out may be as obvious as it is possibly childish: because they are the biggest issuer and tackling them will have a nock-on effect to the rest of the certificate industry. At least that is my 2 cents worth in this matter.
Issuing certificates, at least from a technical point of view, is extremely boring and less challenging then you may think. However, the processes required to issue them correctly and in a way that can be fully trusted is extremely difficult, time consuming and a small mistake can lead to massive troubles as we have seen in 2011.
Although the way the Diginotar company did business can hardly be called a “small mistake”, the fact that then just renamed KPN Certificate Services fell victim to an almost similar incident not even a half year later shows that it is pretty difficult to do right 100 percent of the time.
Counting that it is a business with very slim profit margins and you may understand why these companies sometimes are cutting corners. Although if they cut too much of the corner, they will run into trouble as we have seen in this case.
They are not called “trusted third parties” for nothing.
source: BBC News (external link)

Breach Involving Encrypted Devices Raises Questions

The definition of the HIPAA regulation is pretty clear cut: if the data is encrypted and no decryption key was compromised together with the encrypted data, no breach notification is required.
The fact that the data in this case was obtained for unlawful purposes and the data controller decided to notify to me means that the data, although in encrypted form, was accompanied wit the decryption key.
It is reasonable to assume that the culprit used the standard procedure to obtain the data which entailed having the data stored on an encrypted medium before he or she was allowed to take the storage medium offside, whilst at the same time also obtaining the decryption keys so the data would be usable ones transferred.
The theoretical case of the open laptop given in the article however is only partially correct. When a laptop is running and is possibly unlocked, the encryption algorithm is certainly working and active, however since the relevant key is activated as well the net result is that the data is accessible. The article states that in this case the encryption is not active, this is incorrect.
With all cryptographic systems you can very simply decide for yourself if the system is safe or not by asking just one question: who has access to the decryption key?
source: Data Breach Today (external link)