Tag Archives: cyber attacks

Security News Bites For Friday July 6, 2018

NSA Deleting All Call Detail Records (CDRs) Acquired Since 2015

While the NSA is not providing a lot of details about what went wrong, the NSA is saying that it is deleting all CDRs acquired since 2015 because of technical irregularities that resulted in it receiving data that, likely, would be illegal under the current law.  They have been accused of breaking the law many times, but this is one of the few times I can remember that they admitted to breaking the law.

Because, they say, it is infeasible to sort out the legal data from the illegal data, they are deleting lots of data.

Gizmodo, in a bit of editorializing, asked if the “technical irregularities” were related to the “programming errors” the FBI said caused it to wildly inflate the number of encrypted phones that they could not access in various criminal cases.

While admitting that they screwed up is important, what would be better would be to get it right as they hoover up all of this data.  (Source:Gizomodo)

3 Weeks Until NOT SECURE Starts Showing Up In Your Browser

I wrote about this a few months ago, but now it is going to happen, so it is worth a reminder.

For all of those web sites that said that HTTPS was not important or a hassle or costs money, as of July 23, 2018, Google is going to flag your site as NOT SECURE in the address bar, every time someone visits your site.

While some visitors will ignore the warning, others will get freaked, especially if your site is not one that they visit often.

Now is the time – like in the next 21 days – to set up an HTTPS certificate for your web site.

By the way, in typical Google fashion, in a few months they will start presenting a pop up box that visitors will have to click through to say, yes, I know this site is not secure, but I want to go there anyway.  Not a great way to attract new visitors.  (Source: The Register)

Bank of England (BoE) Tells British Banks to be on a War Footing

Bank regulators in the UK have told financial service firms to come up with a detailed plan to restore services after a disruption and to invest in the staff and technology to do so.  Bank Boards and senior management should ASSUME that systems and processes that support the business will be disrupted and focus on backup plans, responses and recovery.

Lyndon Nelson, deputy chief executive of the BoE’s regulator said that firms need to be on a “WAR footing: withstand, absorb, recover.”  This is something the Brits understand from World War II, but which the United States hasn’t quite figured out.

In addition to cyber attacks, the BoE said that firms should be ready for disruptions caused by failed outsourcing and tech breakdowns.

As the U.S. relaxes it’s stress tests, the BoE said that it will stress test banks with “severe, but plausible” scenarios.  The BoE will set a time limit for recovery.

It looks like the UK regulators are way ahead of US regulators, but maybe we can learn from them.  (Source: Bloomberg)

US Firms Hit Another Hurdle in GDPR Compliance

Some people say – and no one has proved the contrary – that GDPR was designed to go after big U.S. firms, while dragging along all the little ones with it.

This week, in honor of July 4th (not really), the European Parliament voted in favor of a resolution that says that if the U.S. does not fulfill it’s obligations under Safe Harbor by September 1 of this year, Europe should suspend the deal.  This is in addition to the attacks on Safe Harbor that are currently going on in the EU court system.

Taken together, U.S. firms doing business AND who transfer data between the E.U. and the U.S. should be rightfully worried.

Some of the obligations that the U.S. is behind on include filling vacant posts on the Privacy and Civil Liberties Oversight Board, which has been basically dormant under the current administration,  the lack of a permanent ombudsman, the impact of the President’s executive orders on immigration, the re-authorization of Section 702 of the FISA act and a number of others.

The current relationship between our president and the EU doesn’t help things.

This could turn into a standoff, or, in the worst case scenario, the E.U. could shut off the data spigot for U.S. companies to legally move data from the E.U. to the U.S. for processing, storage and analysis.  While large companies may (repeat MAY) be able to deal with this, smaller companies will be greatly challenged and some may have to abandon the European market to E.U. based businesses, something that would make a lot of E.U. businesses very happy.

Stay tuned!  (Source: The Register)

 

Facebooktwitterredditlinkedinmailby feather

UK Security Chief: C1 Attack Likely in Next Two Years

The head of the UK’s National Cyber Security Center (NCSC), Ciaran Martin, said that a major cyber-attack on the UK is a matter of when, not if.

Martin said that the UK had been lucky to avoid  a so-called category one (C1)  attack.    Luck?  That’s comforting.

A C1 attack is defined as an attack that might cripple infrastructure such as energy supplies or the financial services sector.

Other countries, such as France and the US have already had C1 attacks.

The US?  Really?  That is because interference with the elections is considered a C1 attack also.

Martin, in an interview with the Guardian, said that he anticipated a C1 attack in the next two years – that he doesn’t expect to make it to 2020 avoiding such an attack.

The NCSC is the public face of GCHQ, the British version of the NSA, so they likely have a pretty good idea of what is happening.

The worst attack the UK has faced so far was WannaCry last year.  The NCSC categorized that as a C2 because there was not imminent threat of loss of life.  It certainly had an impact on healthcare in the UK.

The NCSC has classified 34 attacks at the C2 level since it opened through the end of 2017 – about 15 months.  They cataloged 762 C3 attacks in that same period.

We don’t have similar numbers for the US, but if we did, they would likely be larger.  We are a bigger target than most.

President Trump suggested he might use nuclear weapons in case of a cyber attack.  Hopefully, he was just bluffing, but that would be a good way to start World War III.

Cyber attacks are not going away any time soon.  For nation states, it is pretty easy to “encourage” private hackers in another country to be their attack proxy, which is why using nukes to retaliate is so scary.  What if the Chinese made an attack look like it came from Russia?  Or Germany?  Sometimes attribution is easy, but only if we have already hacked the hacker’s network.  If a nation state is effective at getting hackers in another country to launch an attack, then attribution is hard.  What if Chinese hackers compromise some computers in some place in the US, say Iowa, and launch an attack from those compromised PCs.  If the PCs are consumer owned, it is unlikely that there are any logs to help figure out where the attack was launched from.  At that point, figuring out where the attack came from is very, very difficult.

Information for this post came from The Guardian.

 

Facebooktwitterredditlinkedinmailby feather

The FBI is looking for a little love

According to an item on Govtech, The FBI is looking for a little help from businesses in their effort to bring cyber criminals to justice.

Assistant AG for National Security  John Carlin and FBI Director James Comey said they need more than knowing how a breach occurred.  They also want to know why the bad guys are after them.  So exactly what is in it for businesses to cooperate?

I assume that number one on most company’s list would be to get the bad guys, get the information back and put the perpetrator in jail for a long, long, time.  Let’s analyze this.

While some cyber attacks come from inside the US, many come from foreign countries.  Countries that are not terribly friendly to us.  Countries like Russia, China, North Korea and other places.  Do you think China is going to help us catch some cyber thieves?  Not likely.  Many of them are likely on the government’s payroll.  The ones that are not and are doing things that the government doesn’t like will likely disappear.  That problem is solved.  Sending them to the US to face trial?  Not gonna happen.

What are companies concerned will happen?

1.  My company will be turned into a crime scene.  To some extent, this is likely to happen.  The Feds are going to want to collect evidence.  Are they going to come thundering in and haul off all your computers?  Not likely, but there are no parameters that say what they are going to do and not do.  Are they going to question my employees and take their time?  Likely yes.

2. I will get a lot of PR – all bad.  This is likely to happen anyway unless you can keep the breach quiet.  If it consists of stealing corporate intellectual property, you can probably do that, but the odds of catching the bad guys go to zero.  On the other hand, once the IP is stolen, getting it back is probably not very useful, since it has likely already been copied and distributed.  You cannot get the cow back in the barn.

3. The FBI is not going to understand what I am telling them and I will get frustrated.  Also likely to an extent.  The FBI is hiring a bunch of cyber agents, but they are not programmers and not system administrators and they have not been involved with your company to understand how your systems work.  Still, they are getting much better than they were.

4. The bad guys won’t get caught.  Also likely.  The US just indicted a bunch of Chinese military hackers.  Do you think the Chinese are going to turn them over to us.  Not very likely.  That indictment was a publicity stunt to try to impress the uninformed.  At least we do have some idea of who was attacking us, but the odds of us getting our hands on them to put them through our legal process is as close to zero as you can get.

5. Information I don’t want to get out will get out.  Partly true.  Some information will be protected, but unless a judge agrees to seal an indictment or clear the courtroom before testimony,  which is very unusual, some information will get out and you won’t get to decide what does and what does not.

So it is a messy situation.  No easy answers.  Your board will have to make some decisions. Also consider, however, that if it involves PII (like credit cards) or PHI (like medical records), the decision is mostly out of your hands unless you want to break the law – and they know where you live, so that is probably not a good plan.

Best answer – work hard to protect yourself and hope that your breaches are small.

Sorry if you were looking for a better answer.

M

 

 

 

 

Facebooktwitterredditlinkedinmailby feather