Tag Archives: Morgan Stanley

Security News for the Week Ending July 16, 2021

Supply Chain Attacks Roll On

The Accellion File Transfer Appliance vulnerabilities have been the source of many breach notifcations over the last several months. For whatever reason, they seem to be dribbling out. The newest one is Morgan Stanley. In this case, it was a Morgan Stanley VENDOR that was using Accellion, so instead of the third party attacks we talk about all the time, this is a fourth party attack. Of course, Morgan Stanley will take the heat, fines and lawsuits. Are you sure your vendors have your back? What about their vendors? Credit: Data Breach Today

Senate Finally Confirms Jen Easterly as Head of DHS/CISA

After CISA has not had an official chief for 8 months and after one Senator pulled a pre-July 4th political stunt that delayed her confirmation, the Senate unanimously confirmed Easterly this week. Easterly, who retired from the Army in 2011, was the deputy director for counterterrorism at the NSA, was on the National Security Council staff at the White House and is a two time Bronze Star recipient, is an outstanding person to lead CISA after Chris Krebs was fired last year for not following the party line. Credit: CNN

Did Russia Get the Message?

Remember the Revil ransomware gang? The folks that hacked Kaseya and JBS, among others? Well their web sites are no more. Did the U.S. take them down? Did Putin decide he didn’t like the heat? Will they come back later under a different name? Not clear. But what is clear is that people who were trying to get their files decrypted by paying the ransom – they have a bit of a problem as in kinda out of luck. My guess is Biden told Putin to fix the problem or we would fix it for him and he probably would not like the collateral damage. Credit: MSN

Hackers are Hard to Kill Off

Last year around election time the Pentagon was all full of press releases that they took down a Russian hacking operation called Trickbot. They have millions of victims around the globe. Bitdefender found that they are resurrecting their tools; updating them, etc. While Bitdefender found this particular tool using a honeypot, it doesn’t that was their only tool and it certainly does not mean they will shut down. It does mean that hacker networks are so profitable, that they will come back from the dead. Credit: The Daily Beast

Want a $10 Million Prize?

The feds are offering a reward of up to $10 million for information on operations conducted by actors working for a foreign government. On Thursday, the U.S. Department of State announced that its Rewards for Justice (RFJ) program now incentivizes reports of foreign malicious activity against U.S. critical infrastructure. The actions may include extortion as part of a ransomware attack, stealing information from protected systems, “and knowingly causing the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causing damage without authorization to a protected computer.” The feds set up a Tor site to report information confidentially. Credit: Bleeping Computer

The Insider Risk

In January Morgan Stanley caught one of it’s financial advisors, Galen Marsh,  after he stole data on 350,000 clients and someone posted part of it on the Internet.

This month a JPMorgan employee, Peter Persaud, was arrested for selling customer data to an undercover FBI snitch.

While both of these people were in the financial services world, insiders taking information is certainly not limited to that industry.

We hear stories all the time of sales people taking their Rolodex with them when they leave a company.

We hear stories of tech people taking code with them and to a lesser extent, taking customer lists.

The scary question is the part that we do not hear about.

In the case of Marsh (see WSJ article), he admitted to taking the data.  He did, however, claim that he did not post it online (where it was found), nor did he try and sell it.  The information which did appear on the Internet included names, account numbers, state of residence and asset values.  These were all high net worth clients, with balances in the hundreds of thousands to millions of dollars.  He had been an employee since 2008 .

In the other case, Persaud was paid $2,500 by an FBI snitch in exchange for information on an account with a $19,000 balance.  The snitch was supposed to pay him an additional $7,500 after he emptied the bank account.  Also also tried to sell information on 4 other accounts with a combined balance of $150,000.  (see Bloomberg article).

For every story that we hear about, where someone is discovered, arrested and prosecuted, there are thousands that we don’t know about.  In some cases, companies find out about it but choose not to prosecute because they do not want customers or investors to find out that the data that they entrusted the company with is not safe.  Not to pick on law firms, but they are a hot target, and there are few circumstances that require them to disclose breaches to their clients unless it contains health or credit information.

The questionS to ask yourself ARE this:

IF ONE OF MY EMPLOYEES WALKED OUT THE DOOR WITH MY CUSTOMER LIST, SALES DATA, TECHNICAL INFORMATION OR INVESTOR INFORMATION, WOULD I KNOW THAT THEY DID?

IF THEY SOLD IT ON THE DARK WEB, WOULD I KNOW?

For most companies, the answer is no.  Chase spends about $250 million a year on cyber security and after the loss of 75,000,000 client accounts to hackers late last year, CEO Jamie Dimon promised to double that to $500 million.

In most cases, internal controls are lose and employees would not trigger any alarms if they copied data.  After all, they are trusted – we hired them didn’t we?

A 2012 study found that almost half of the employees questioned would sell their corporate credentials for $150.  Whether half or $150 are exactly correct or not, the fact that any would sell it for a few hundred dollars speaks to the fact that employees don’t have much loyalty to companies who, they think, will show them the door if it is convenient to the company.

How much do you spend on cyber security?