TOP SECURITY THREATS

The hits just keep on coming, the hits to our networks, that is, which today go beyond traditional endpoints to now include mobile and cloud.

Internet of Things – Today, it’s not only our computers, smartphones and tablets connecting to the internet, but also everything from refrigerators, cars, medical devices and toys that are equipped with embedded circuitry. “Without better security, attacks on these devices are likely to have nasty real world impact,” says a Sophos report.

Public Wi-Fi and network sharing – It’s a well-known fact that public Wi-Fi networks are not to be used for banking or any other transaction where security is a factor since data can be easily pilfered. Particularly troubling, apps that sync up automatically with Facebook or Outlook contacts can be a treasure trove for data thieves.

Financial attacks – With the rapid rise of online commerce, criminals are continually devising new ways – and sticking with tried-and-true methods – to work their way into the servers of financial networks. Using malware, phishing and social engineering, the attack landscape is only increasing.

iOS bugs – Apple has generally been praised for the fortitude of its operating systems. Once it was ignored by attackers owing to its tiny market share, but in the past few years as Apple has grown into a powerhouse enterprise player, the criminal element has attached itself to the rich new possibilities. Researchers have recently pointed out that with the release of iOS 8.4, some critical holes were discerned in previous versions of Apple’s OS that could allow phishing of users’ data, even via VPN connections.

Cloud computing – The cloud has brought convenience and cost-savings to millions of businesses and everyday consumers. However, the security of using a central shared server capable of being accessed by workers spread across the globe is still a vital concern. Hackers might gain entry, critics warn, or insiders could abscond with data on a thumb drive to sell on a black market eager for personal information or intellectual property.

DDoS attacks – Denial-of-service attacks, in which web servers are flooded with heavy traffic in an attempt to knock a website offline, are a favorite tactic of hacktivists exacting revenge on a corporation they object to, or a nation-state in battle with a foe. Several toolkits are available on the internet, some for free. For example, LOIC (Low Orbit Ion Canon), one of the most popular, was employed by Anonymous in its campaign against a number of large enterprises last year. On a smaller scale, a British man was just sentenced to eight months in prison for his launching of several DDoS attacks against social service agencies after his children were removed from his care.

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

WEIRD NEWS

Florida teacher suspended for using jammer in class – In June, a Florida high school teacher was suspended without pay after he kept a signal jammer in his classroom to prevent students from using their cell phones. Science teacher Dean Liptak allegedly employed the device between March 31 and April 2. He was only found doing so when Verizon noticed a blockage on the campus’s cell tower. Liptak argued the device kept students “academically focused,” as confiscating phones until the end of class caused disruptions and was unproductive.

Caitlyn Jenner cover kept on non-internet connected device – When Bruce Jenner officially transitioned to Caitlyn Jenner, she chronicled the change through a Vanity Fair cover and photo spread. The cover was coordinated and negotiated for months. The photos, however, were especially worthy of protecting with the magazine worrying about leaks. The editors kept the story and spread on one computer that was never connected to the internet, reports indicated. All article assets were also put on a thumb drive every night and then deleted from the computer. The story was also hand-delivered to the printer.

Pastor charged for hacking – A U.S.-based pastor was charged earlier this year as being the “linchpin of a sprawling financial and hacking conspiracy.” Vitaly Korchevsky of the Slavic Evangelical Baptist Church, in Brookhaven, Pa., allegedly worked with nine other to hack into the computer systems of Marketwired, PR Newswire and Business Wire to access corporate press releases before they were made public. This allowed them to glean earnings, gross margins, revenues and other proprietary financial information. The data was apparently sent to associates in the U.S. and Ukraine who parlayed the inside information to trade shares of dozens of companies.

Obama avoids Waldorf over hacking concerns – President Obama and the U.S. delegation to the United Nations General Assembly opted to not stay at the Waldorf-Astoria Hotel during the UN’s annual assembly, a precedent that had been set decades prior. The reason for their hotel change? Hacking. A Chinese firm with strong ties to Beijing purchased the hotel in 2014 and instituted a “major renovation.” U.S. officials suspected the company of building in eavesdropping and cyberespionage capabilities. The delegation instead stayed at the New York Palace Hotel.

Surveillance blimp runs free – A military surveillance blimp broke free from a ground tether in Pennsylvania and was loose for four hours. Two F-16 fighter jets monitored the remote-controlled aircraft until it slowly lost helium and drifted back to ground level. Along with the 243-foot-long blimp itself was 6,700 feet of cable. The blimp took out power for 20,000 customers. The aircraft was a result of 17 years of research and $2.7 billion in funding. However, it was never fully used due to defective software, poor reliability and vulnerability to bad weather.

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

TIMELINE 2015

Feb. 4: Anthem medical announces data breach – Health care provider Anthem experienced one of the largest data breaches to date, impacting millions of its current and former customers and employees. Naturally, many of those impacted, as well as information security professionals, had plenty to say via Twitter regarding the incident. The massive external cyberattack on Anthem that allowed attackers to gain unauthorized access to the managed health care company’s IT system turns a harsh spotlight on the security of information in healthcare organizations.

May 2:  IRS announces non-IRS sources enabled access to hundreds of thousands of taxpayer accounts – The IRS announced that criminals used taxpayer-specific data acquired from non-IRS sources – including Social Security information, tax filing statuses, birth dates and street addresses – in order to gain unauthorized access to information on more than 100,000 tax accounts. The IRS explained that the attackers accessed the taxpayer information through its “Get Transcript” application, which has since been temporarily disabled. Other IRS systems were not affected.

June 2: USA Freedom Act passes Senate – The USA Freedom Act, which passed the U.S. House of Representatives in May, passed the Senate without any amendments in a 67-32 voted that pushed through a “clean” version of the bill, even though Senate Majority Leader Mitch McConnell had strongly advocated for various amendments to the legislation. If any of the amendments had passed, the bill would have had to return to the House of Representatives for another vote.

June 4: OPM breach  – A massive breach affecting millions of federal workers looks like the handiwork of a nation-state, with China as the likely candidate, lawmakers and government officials indicated, drawing calls for swift retaliation. While President Obama’s press secretary Josh Earnest declined to confirm allegations that China was behind the massive data breach at the Office of Personnel Management (OPM), he did tell reporters that if a nation-state was found to be behind the attack, President Obama would have the authority to retaliate.

July 14: Ashley Madison hack – The Ashley Madison website, which runs with the tagline is “life is short, have an affair,” was compromised by hackers calling themselves The Impact Team, which has obtained “all customers’ secret sexual fantasies and matching credit card transactions,” plus other data belonging to the website operators. Ashley Madison has more than 37 million users across 46 countries and generates more than £64.3 million per year in subscription fees. 

July 10: Army National Guard breach – Personal information containing names, Social Security numbers, home addresses and other personally identifying information from more than 850,000 current and former Army National Guard members may have been compromised and “was inadvertently transferred to a non-[Department of Defense]-accredited data center by a contract employee,” as part of a budget analysis, Maj. Earl Brown, a National Guard Bureau spokesman, said in a release.

July 21: Jeep hack – A pair of security researchers were able to exploit a zero-day vulnerability to remotely control the vehicle’s engine, transmission, wheels and brakes among other systems. Anyone who knows the car’s IP address may gain access to a vulnerable vehicle through its cellular connection. Attackers can then target a chip in the vehicle’s entertainment hardware unit to rewrite its firmware to send commands to internal computer networks controlling physical components.

July 27: Stagefright code vulnerabilities announced – Researchers with Zimperium have identified multiple critical remote code execution vulnerabilities in Android’s Stagefright code that can be exploited on 95 percent of devices – an estimated 950 million – by simply sending an MMS message. Once exploited an attacker could gain complete control of a device or even spy on its user by manipulating the microphone and camera to monitor its surroundings.

Oct. 8: California signs landmark digital privacy bill – California Governor Jerry Brown signed the California Electronic Communications Privacy Act into law, which imposes new digital privacy protections and guidelines for warrants concerning data collection, including stingray use. The law also prevents a government entity from compelling businesses to turn over a client’s electronic communication information or metadata without a warrant, other than defined exceptions.

Oct. 27: CISA passes Senate – Following a full day of discussion and voting on amendments, the Cyber Information Sharing Act (CISA) passed in the House with an overwhelming majority of 74-21.

Sept. 25: U.S.-China deal intellectual on property – The United States and China have agreed to initial norms of cyber activities, saying each will avoid conducting cyber theft of intellectual property for commercial gain. The agreement also draws a clear distinction between cyberespionage between government entities and corporate espionage for commercial gain.

Sept. 29: Edward Snowden joins Twitter – Having amassed more than a million followers in a day, whistleblower Edward Snowden follows only one account: that of the National Security Agency (NSA).

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

BIGGEST BREACHES

OPM – The Office of Personnel Management (OPM) hack in June was arguably the highest profile event of the year with the personal records, fingerprints, background information and Social Security numbers (SSNs) of every federal worker, about 21.4 million people, being exposed. The breach forced OPM Director Katherine Archuleta to resign in July, and the repercussions continue with much finger-pointing over who is to blame for allowing the attack to happen.

Army National Guard – The nation’s Army National Guardsman found themselves facing danger of a different sort in July when the personal information of 850,000 current and former members was accidently exposed by an employee. The compromised files contained names, SSNs, home addresses and other personal identifiers from servicemen and women who served since October 2004.

ATT/Experian – Fifteen million current and proposed AT&T customers had their information compromised in October when the credit check firm Experian was breached losing control over customer names, birth date, addresses and SSNs. The perpetrator has not been uncovered, but some analysts believe the attack is part of China’s ongoing attempt to gather information on American citizens.

Ashley Madison – The most salacious breach of 2015 belongs to the adultery site Ashley Madison which had the personal information of its 37 million clients exposed by The Hacking Team in July. The hack exposed a lie by the site’s owner, Avid Life Media (ALM), that it deleted data for a fee upon member request. In the months following the initial breach, The Hacking Team released additional client names, although ALM said no financial data was taken.

Online photo sites – Rite Aid, Costco, Sam’s Club and Tesco, following CVS and Walmart Canada, were forced to shutter their online photo stores after the company that operated them, PNI Digital Media, was hacked in July. The sites remained offline for several months. The exact number of people affected and what was stolen is not known, although several of the retailers warned their customers to check their credit cards for unknown usage.

Fiat Chrysler – The car manufacturer discovered in July that cars are not immune to hacks when a pair of security researchers exploited a zero-day vulnerability allowing them to remotely control the vehicle’s engine, transmission, wheels and brakes among other systems. The end result was a recall of 1.4 million Dodge and Jeep vehicles to have software updated to negate the vulnerability.

Anthem – The attack in February on the managed health care company Anthem exposed the PII of as many as 80 million customers. The investigation found the attackers used backdoors to enter the system and reports say the same group that attacked OPM was responsible for the incursion into Anthem.

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

BIGGEST ARRESTS

Aug. 18: China arrests 15,000 during cybercrime sweep – In a massive sweep, the Chinese Ministry of Public Security (MPS) announced it had arrested 15,000 people for cybercrimes as part of a long-term operation dubbed “Cleaning the Internet.” The arrests stemmed from about 7,400 specific incidents spread over 66,000 websites that were investigated, but the MPS did not say exactly when the arrests took place.

July 15: Black market ‘Darkode’ bust leads to arrests in 20 countries – International law enforcement announced a crackdown on Darkode. The online crime forum facilitated the purchase and trade of malware, botnets and stolen personal information, including credit card details and user credentials. Morgan Culbertson, a 20-year-old and current FireEye intern with two stints at the company on his résumé, was arrested in association with the forum.

June 10: 49 arrested in Europe for phishing, MitM scheme that netted millions of euro – A collaboration between Europol and various EU law enforcement organizations led to the arrest of 49 believed to have been part of a cybercrime gang that defrauded victims out of six million euro. The suspects allegedly used man-in-the-middle (MitM) attacks and phishing schemes to gain access to corporate email accounts belonging to European companies in order to monitor their payment requests. The scammers then contacted the company’s customers, posing as the legitimate company, and instructed them to send payments to the illegitimate accounts where the money was laundered.

July 21: Alleged JPMorgan hack leaders arrested – Authorities in the Southern District of New York charged Joshua Aaron and his co-conspirators Gery Shalon, Anthony Murgio and Zic Orenstein for their role in the JPMorgan Chase data breach. The men face 23 charges, including wire fraud, identity theft and money laundering.

March 19: NYPD officer arrested for hacking FBI databases – A  New York City Police Department (NYPD) Auxiliary Deputy Inspector Yehuda Katz was arrested for allegedly hacking into a restricted NYPD computer and other sensitive law enforcement databases to collect information on individuals who had been involved in traffic accidents in the New York City area. He then posed as an attorney, among other things, and solicited them for a 14 percent fee.

June 16: Canadian police arrest nine men in ‘romance fraud’ scheme – Canadian police arrested nine suspects in connection to a romance fraud ring that cost victims $1.5 million. The nine men, who have more than 40 charges against them, allegedly created fake dating profiles and then used them to trick women into trusting them, the York Regional Police Department explained on its Facebook page. The men would progress the relationships quickly, and once victims became emotionally invested, the men would ask for money.

May 8: Former Nuclear Regulatory Commission employee arrested for alleged spear phishing campaign – An indictment charging a former employee of the U.S. Department of Energy (DOE) and U.S. Nuclear Regulatory Commission (NRC) with an attempted spear phishing attack revealed Charles Harvey Eccleston, 62, allegedly sent dozens of spear phishing emails in January 2015 to DOE employees. Eccelston allegedly wanted to cause damage to the department’s network and infect it with a virus that would extract nuclear weapons information for a foreign country.


NOTEWORTHY M&A ACTIVITY

Buyer

Target company

Gains

Terms

Trend Micro

HP’s business unit TippingPoint

threat defense solutions for endpoints, network, data centers and cloud systems

$300M

CyberArk

Viewfinity

remove business users’ admin privileges to limit phishing and malware attacks

$30.5M

Cisco

Lancope

threat defense capabilities, including Lancope’s StealthWatch product

$452M

Cisco

OpenDNS

predictive intelligence to filter content and prevent malware attacks

$635M

Microsoft

Adallom

cybersecurity solutions for enterprises, including cloud applications capabilities

$320M

Bit9 + Carbon Black

VisiTrend

next-generation endpoint security solution, and a technology development center in Boston

unknown

Singtel

Trustwave

in-house threat research team, security and compliance services

$810M

Thales

Vormetric

data protection solutions for physical, virtual and cloud infrastructures

$400M