Tag Archives: Banks

Security News for the Week Ending December 25, 2020

First of all, Merry Christmas and a Happy New Year.

OCC, FRB and FDIC Propose New Rule – Tell Us If You Have a Security Incident

The federal banking regulators are proposing a new rule that banks and tech companies that service banks need to report to their regulator within 36 hours if the have a security incident (like ransomware) that impacts their operations. I suspect that banks have been hiding these in the large stack of forms they file daily, hoping their regulator doesn’t catch what is going on. In *MY* opinion – long past due. It covers everyone who is part of the Federal Reserve System or the FDIC, among others. Credit: FDIC

FBI Says Iran Behind pro-Trump ‘enemy of the people’ Doxing Site

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) say that Iranian actors are “almost certainly” behind the creation of the website (currently down), basing the assertion on “highly credible information.”

The agencies add that in mid-December 2020 the website contained death threats aimed at U.S. election officials. Among them are governors, state secretaries, former CISA Director Christopher Krebs, FBI Director Christopher Wray, and people working for Dominion, the company providing the voting systems. Credit: Bleeping Computer

Facebook and Google Get a Little Too Friendly on Ads

While Google and Facebook supposedly compete in the ad business, with the two of them controlling over half the market, there was a bit of preferential treatment. In 2018 they announced a deal where Facebook’s advertisers could buy ads within Google’s ad network. What they did not announce was a secret deal where Facebook would get preferential treatment if they backed down on getting their advertisers to switch to a Google competitor. These days it is hard to keep secrets that big secret. Credit: Cybernews

Microsoft and McAfee Join Ransomware Task Force

19 tech companies, security firms and non-profits have joined together to fight ransomware. The task force will commission expert papers on the topic, engage stakeholders across industries, identify gaps in current solutions, and then work on a common roadmap to have issues addressed among all members. The result will be a standardized framework for dealing with ransomware attacks across verticals, based on industry consensus. They start playing together next month. Stay tuned to see what they produce. Credit: ZDNet

Homeland Security Releases Guide Warning About Chinese Equipment and Services

The Chinese government, along with Russia, has shown that it has a virtually insatiable appetite for stealing our stuff, whether that is personal information or trade secrets. This DHS document talks about the risks of partnering with Chinese firms and/or allowing your data to be stored in China or Chinese controlled data centers. It talks about how China has constructed it’s laws so that the government can get access to anything that it wants and what you can do to reduce the risk a little bit. A copy of the report can be downloaded here.

Security News Bites For Friday July 6, 2018

NSA Deleting All Call Detail Records (CDRs) Acquired Since 2015

While the NSA is not providing a lot of details about what went wrong, the NSA is saying that it is deleting all CDRs acquired since 2015 because of technical irregularities that resulted in it receiving data that, likely, would be illegal under the current law.  They have been accused of breaking the law many times, but this is one of the few times I can remember that they admitted to breaking the law.

Because, they say, it is infeasible to sort out the legal data from the illegal data, they are deleting lots of data.

Gizmodo, in a bit of editorializing, asked if the “technical irregularities” were related to the “programming errors” the FBI said caused it to wildly inflate the number of encrypted phones that they could not access in various criminal cases.

While admitting that they screwed up is important, what would be better would be to get it right as they hoover up all of this data.  (Source:Gizomodo)

3 Weeks Until NOT SECURE Starts Showing Up In Your Browser

I wrote about this a few months ago, but now it is going to happen, so it is worth a reminder.

For all of those web sites that said that HTTPS was not important or a hassle or costs money, as of July 23, 2018, Google is going to flag your site as NOT SECURE in the address bar, every time someone visits your site.

While some visitors will ignore the warning, others will get freaked, especially if your site is not one that they visit often.

Now is the time – like in the next 21 days – to set up an HTTPS certificate for your web site.

By the way, in typical Google fashion, in a few months they will start presenting a pop up box that visitors will have to click through to say, yes, I know this site is not secure, but I want to go there anyway.  Not a great way to attract new visitors.  (Source: The Register)

Bank of England (BoE) Tells British Banks to be on a War Footing

Bank regulators in the UK have told financial service firms to come up with a detailed plan to restore services after a disruption and to invest in the staff and technology to do so.  Bank Boards and senior management should ASSUME that systems and processes that support the business will be disrupted and focus on backup plans, responses and recovery.

Lyndon Nelson, deputy chief executive of the BoE’s regulator said that firms need to be on a “WAR footing: withstand, absorb, recover.”  This is something the Brits understand from World War II, but which the United States hasn’t quite figured out.

In addition to cyber attacks, the BoE said that firms should be ready for disruptions caused by failed outsourcing and tech breakdowns.

As the U.S. relaxes it’s stress tests, the BoE said that it will stress test banks with “severe, but plausible” scenarios.  The BoE will set a time limit for recovery.

It looks like the UK regulators are way ahead of US regulators, but maybe we can learn from them.  (Source: Bloomberg)

US Firms Hit Another Hurdle in GDPR Compliance

Some people say – and no one has proved the contrary – that GDPR was designed to go after big U.S. firms, while dragging along all the little ones with it.

This week, in honor of July 4th (not really), the European Parliament voted in favor of a resolution that says that if the U.S. does not fulfill it’s obligations under Safe Harbor by September 1 of this year, Europe should suspend the deal.  This is in addition to the attacks on Safe Harbor that are currently going on in the EU court system.

Taken together, U.S. firms doing business AND who transfer data between the E.U. and the U.S. should be rightfully worried.

Some of the obligations that the U.S. is behind on include filling vacant posts on the Privacy and Civil Liberties Oversight Board, which has been basically dormant under the current administration,  the lack of a permanent ombudsman, the impact of the President’s executive orders on immigration, the re-authorization of Section 702 of the FISA act and a number of others.

The current relationship between our president and the EU doesn’t help things.

This could turn into a standoff, or, in the worst case scenario, the E.U. could shut off the data spigot for U.S. companies to legally move data from the E.U. to the U.S. for processing, storage and analysis.  While large companies may (repeat MAY) be able to deal with this, smaller companies will be greatly challenged and some may have to abandon the European market to E.U. based businesses, something that would make a lot of E.U. businesses very happy.

Stay tuned!  (Source: The Register)


Banks Bilked Out Of More Than $1 Billion

Reuters is reporting that Kaspersky Labs is working with Interpol, Europol and other law enforcement authorities to ferret out more details of the attack, but they have announced several details.

Gene Kaspersky, founder and head of Kaspersky Labs is well known in white hat (good guy) hacking circles.  His public pronouncements, while sometimes flashy, usually are found to hold water, so it is likely that the facts that have been released are accurate.

The attackers who have looted 100 banks for more than a billion dollars (which you and I get to pay for in the form of higher fees and lower interest payments), have taken several forms.

The first form, which I have reported on in the past (see this post), uses a spear phishing attack to get inside the bank and then inside the ATM network.  The hacker then causes the ATM to dispense inappropriate bills to the hacker’s accomplice who is at the ATM at that moment.

The second form is even more creative.  After hacking into the banks in the same way, the hackers watch the video surveillance feeds to figure out “normal” ways bank employees behave.  They then add a sum of money to someone’s account and later, using what they learned watching the video, transfer it to their account.  Since the customer’s balance is unchanged in the end, the customer is less likely to notice it.  To the bank, it just looks like a regular deposit and later a withdrawl.   It is likely that the funds are wired out to a bogus account set up by the hackers and then drained.

Pulling off these attacks requires a great deal of technical skill and logistics, so this is the work of a professional team, possibly state sponsored.

Unfortunately, for the banks – and ultimately us – this is a pretty expensive caper.

According to Kaspersky, these attacks are still going on.  With them having already found 100 banks affected, it is unknown how many more have not been discovered.

The common components here are successful phishing attacks on administrators at the banks and lack of effective segmentation between the different parts of the bank like the ATM network, the surveillance network and the corporate network.  Usually this is because that would be inconvenient for the employees.  So is losing a billion dollars.



New attack on ATMs

Krebs on Security is reporting a new method of extracting money from bank accounts.  So far, this has been reported as being accomplished in eastern Europe and Russia, but there is certainly no reason why this cannot be accomplished in the U.S.

The group starts by sending spear phishing emails to bank employees that look like they are from bank regulators.  The emails contain infected Microsoft Office documents that take advantage of recently patched Office flaws (with the assumption that it takes the banks a while after the patch is out to apply the patch).  Once inside, the malware now looks like an insider and can gain access to additional resources such as the ATM subnet, downloading malicious software to specific ATMs.

In addition, the gangs “buy” already infected desktops inside the banks and add their malware to them.  This is the classic “buy vs. build” argument.  It’s apparently easier than asking people to install your malware.

In one case, using ATMs that contained multiple bill denominations, the hackers told the ATMs that trays had been swapped and when the ATM thought it was dispensing 10 Ruble notes, it was actually dispensing 5,000 Ruble notes.  So when the ATM thought you were getting 10 – 10 Ruble notes (for 100 Rubles), you actually got 10 – 5,000 Ruble notes or 50,000 Rubles.  Combine this with a stolen ATM card and good luck getting your money back.  Not only does the bank lose 50,000 Rubles, but it has to reimburse the actual card owner for the 100 Rubles deducted from his or her account.

This seems a lot easier than snarfing up all those credit cards and trying to figure out who has money on their card or in their account, worrying about the card being shut off and so on, but these gangs are entrepreneurial and do both – steal credit cards and hack the banks.

Apparently, this gang has stolen millions from the Russian and eastern European banks.

So far, this has not affected U.S. banks, but hopefully the banks are on the alert.

The good news is that there are a number of things that you can do (as the bank) to protect yourself given that you understand this M.O.  The question is whether the banks will take the lead and be proactive or wait until they have lost millions.



Feds Look To Get Firms To Close “Gaping” Cyber Holes

An article in the Times a week ago says that the Feds and States want banks and brokerage firms to close some gaping holes in their defenses.

What is that gaping hole?  OUTSIDE VENDORS!

Many people are aware that the suspected source of the Target breach was a small HVAC contractor.  They didn’t do anything on purpose;  they got phished.  It also appears that the JP Morgan Chase attack may have started with a vendor as well.

According to the article, the Securities and Exchange Commission is conducting an audit of 50 firms to assess their readiness for attacks AND their relationships with vendors. FINRA is doing the same with brokerage firms.  Other regulators are doing the same with 500 community banks and credit unions.

Benjamin Lawsky, New York’s outspoken head banking regulator, suggested that banks may be required to “obtain representations and warranties” from vendors about the adequacy of their controls to thwart hackers.

Lawsky said “It is abundantly clear that, in many respects, a firm’s level of cybersecurity is only as good as the cybersecurity of its vendors.”

If I was a vendor – and that includes everyone down to janitorial firms according to Treasury – I would be looking at my cybersecurity readiness and figuring out what the implications of Reps and warranties might be.

Nothing is a done deal until it is a done deal, but there seems to be a lot of “smoke” around this issue right now.  Too much to assume there is no “fire”.

Mitch Tanenbaum