By Andrew Paulette and Mesay Degefu
1.) Suspect trading in Equifax options before breach might have generated millions in profit (September 8, 2017)
Summary: Unusual trading in Equifax options in mid-August suggests millions of dollars in profit were generated after Thursday’s disclosure of a massive data breach at the credit reporting company affecting 143 million consumers and their personal information.
Why it matters: Someone profited ($4.2 million) through short selling Equifax stocks after the data breach had occurred but before it was disclosed to the public. A similar short sale occurred last year when Muddy Waters published a report stating St. Jude medical devices were vulnerable to hacking due to security flaws, causing stocks in the company to drop.
The suspect was likely either an insider with Equifax, or someone associated with the threat actor who caused the data breach. The idea of making a payday from full disclosure of a serious vulnerability or via advanced knowledge of a serious security data breach is a creative method that could be used to monetize blackout activities – hopefully we won’t see it become more frequent in the future.
2.) Billions of devices imperiled by new clickless Bluetooth attack (September 12, 2017)
Summary: Over the past decade, Bluetooth has become almost the default way for billions of devices to exchange data over short distances, allowing PCs and tablets to transfer audio to speakers and phones to zap pictures to nearby computers. Now, researchers have devised an attack that uses the wireless technology to hack a wide range of devices, including those running Android, Linux, and, until a patch became available in July, Windows.
Why it matters: BlueBorne is a vulnerability in the Bluetooth implementation of 5.3 billion devices, including Windows, Android, Linux, and Apple, which allows attackers to perform Man in the Middle and Remote Code Execution, and deliver malware on devices that have bluetooth turned on. No pairing or discovery are necessary on the target device.
With Bluetooth on so many IoT devices, including phones that don’t receive Google patch updates and run outdated versions of Android OS, many devices vulnerable to these BlueBorne attacks will never be fixed. For those devices within organizations that cannot be patched, organizations should plan their defense-in-depth to use other technical controls to prevent, detect, and correct against network intrusion attempts.
3.) Failure to patch two-month-old bug led to massive Equifax breach (September 13, 2017)
Summary: The Equifax breach that exposed sensitive data for as many as 143 million US consumers was accomplished by exploiting a Web application vulnerability that had been patched more than two months earlier, officials with the credit reporting service said Thursday.
Why it matters: Recent reporting confirms that the Apache Struts vulnerability used against Equifax was one which has been disclosed two months prior to the intrusion into their network. This is not surprising – if Equifax had been compromised due to what would have been a zero-day at the time of intrusion, they would have made that point very early on in their notification to reduce the bad PR they have received thus far.
Not patching a vulnerability with known consistent exploits in the wild for two months after the patch’s release will not bode well for Equifax in the coming legal action and investigations. Failure to patch this vulnerability, and what appears to be inadequate mitigating controls to reduce the risk of this unpatched software gives Equifax the appearance of being negligent in protecting the PII their systems contained. This is sure to be a textbook example for future InfoSec classes of a company that did not exercise due diligence to protect their data, and had their bottom line hurt as a result.
4.) DHS gives agencies 90 days to remove Kaspersky Lab IT from networks (September 13, 2017)
Summary: The Homeland Security Department is giving agencies 30 days to identify where they are using products and services from Kaspersky Lab and to remove those technologies from federal networks 60 days after that.
Why it matters: While there is no doubt sensistive information not available to the public helped drive DHS’s decision, the Binding Operational Directive to block Kaspersky products from federal networks is vague. Antivirus will always have “broad access to files and elevated privileges” due to the nature of the software and it is not uncommon for technology companies to assist with law enforcement and intelligence activities within the countries where they operate.
This is not to say that the decision is necessarily a poor one – the Russian government has greater leverage over Kaspersky than a company such as McAfee. It follows similar decisions the US company has made for companies in China such as Huawei. In addition, if any form of monitoring information is sent back to Kaspersky, it can be intercepted more easily (if the data is collected within Russian boarders). If any additional information can be shared by DHS, it should be provided so that other organizations using Kaspersky products can weigh these additional risks posed to them and the IT infrastructure of the US.
Third-party audits for security products used by the federal government should be a mandatory part of the acquisition process to help ensure unexpected, inadvertent risks are not introduced during the acquisition of new products into federal information systems.
5.) What Will Cybersecurity Look Like 10 Years From Now? (September 14, 2017)
Summary: Today, most of our critical systems are interconnected and driven by computers. In the future, this connection will be even tighter. More decisions will be automated. Our personal lives will be reliant on virtual assistants, and IoT connected devices will be part of almost every function of our daily lives. Connected cars will make our daily commute easier, and virtually all of our personal data will reside in cloud computing, where we don’t fully control the dataflow and access to information.
Why it matters: Today, most cybersecurity related laws and regulations are considered obsolete. Ten years from now, security will be even more complex due to an increase in connectivity and shifting to more automation. Therefore, creating laws and regulations that address future cybersecurity issues will become even more difficult; cooperation between the US government, the private sector, and foreign governments is critical.