Secret Service Warns That ATM Wiretapping is on the Rise*:
- The US Secret Service has issued a warning to banks due to a recent surge in incidents of ATM wiretapping.
- ATM wiretapping or eavesdropping is more complicated than many other attacks.
- In order to be successful, a criminal must drill a large hole in a cash machine and use a combination of magnets and devices to attach a skimmer directly to the ATM card reader.
- This skimmer then harvests credit card information.
- The hole is concealed with metal or a decal, and cameras are also embedded to capture PIN number input.
- They are often installed directly above a PIN card and disguised with a false fascia.
- According to Krebs, an endoscope -- a thin, long tube with a camera at its end most commonly used in medical applications -- is often part of the criminal's kit, as it allows users to check inside a compromised ATM's innards to check the skimmer is in place.
- The attack setup can demand days of tampering, which makes it not only risky, but difficult, and there is a delay between installing skimmers and cameras to make sure anti-tampering alarms stay dormant.
- Sources said that how-to documents which describe the possible ways to conduct these attacks are being shared widely.
- This may give threat actors the knowledge required to further ramp up ATM wiretapping attack rates in the future.
- Originating in Russia, Europe, and Asia, jackpotting is another issue which has recently reached American shores.
- Jackpotting relates to the physical damage caused to an ATM in order to install malware -- such as Ploutus.D -- and other payloads or logic attacks to drain a machine of cash and force it to uncontrollably release funds.
- The problem has become severe and widespread enough to prompt IBM to open dedicated facilities to tackle weaknesses in ATM security.
- The company has experienced a 300 percent increase in ATM testing requests since 2017.
*Source: ZD Net, October 01, 2018
California Enacts First-In-Nation IoT Security Law*:
- The first IoT Security Act in the US has just been signed into law in California.
- The law isn't just about the IoT, but billions of small connected devices will have to add critical features if they're sold in the state after Jan. 1, 2020.
- SB-327 is broad legislation that applies, with some exceptions, to "…any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address."
- Those devices will be required to have basic security capabilities installed — though precisely what those might be is not spelled out in the legislation.
- Instead, the law requires steps that are "appropriate" to the device and the information it collects, protecting each from "…unauthorized access, destruction, use, modification, or disclosure."
- Specifically, if a device has provisions for unique authentication of device and/or users, it is considered to be in compliance with the law.
- The exceptions to the requirement are those devices that fall under federal laws or regulations, including medical devices.
*Source: Dark Reading, October 01, 2018
Financial Sector Data Breaches Soar Despite Heavy Security Spending*:
- The preparedness of banks to deal with threats, such as a recently reported plan by criminals to launch mass attacks on ATM machines worldwide, would appear to be shaky at best considering the number of data breaches in the financial sector this year.
- Security vendor Bitglass recently analyzed data breaches disclosed by banks, insurance companies, investment firms, and other financial services institutions thus far in 2018 and compared it with the same data from two years ago.
- Between January and August this year, financial firms disclosed three times as many breaches as they did in the same period in 2016—103 in 2018 compared to 37 two years ago.
- The top three breaches alone this year compromised more records than the 64,512 records exposed in all of 2016.
- Hacking and malware were once again the primary causes like they were in 2016, and accounted for 74% of the data breaches that financial companies have disclosed so far this year.
- Nearly 15% of the breaches resulted from accidental data disclosures.
- The biggest incident this year involved an employee at SunTrust Banks who stole the names, addresses, phone numbers, and account balances of some 1.5 million of the banks' customers.
- The breach numbers suggest that while financial services companies spend more on cybersecurity than most other organizations — and are more heavily regulated than others — the sector as a whole doesn't appear to be becoming a whole lot more secure over time.
- One of the reasons, of course, is that cybercriminals target banks and financial institutions more heavily than organizations in most other industries.
- Banks and other financial firms have significantly better defenses against malicious activities, but precisely for that reason they also tend to be targets of much more sophisticated threats.
- Another reason is that financial services institutions, like organizations in other sectors, have a tendency to over-rely on the tools they already have in place.
- Companies often tend to stick with their existing tools because they have invested significant funds in them, and because they overestimate the ability of the products to deal with current and emerging threats.
- Regulations such as the Gramm-Leach-Bliley Act and PCI DSS have been useful in getting financial companies to pay more attention to security, but many continue to treat compliance with these regulations as the end goal of their security efforts.
- Market research firm IDC expects that enterprises worldwide will spend north of $91 billion on cybersecurity this year. Banks, the federal government, and discrete manufacturers will be the biggest spenders, with more than $27 billion in spending.
- While such spending might indicate banks are getting better at security, that is not always the case.
- Deloitte's cyber risk service practice earlier this year surveyed CISOs from 51 organizations in the financial services sector including banks, insurance companies, and investment management firms about their cyber risk management strategies.
- Deloitte's study showed that the amount of money an organization spends on cybersecurity doesn't automatically translate to better security.
- Deloitte found that many financial companies with below average security spending had a better risk posture than companies that spent a lot more.
- Factors that did affect security were top-level accountability, a culture that emphasized shared responsibility for security, and a risk-focused approach to mitigating security threats.
- At the same time, Deloitte also found that larger financial companies are not allocating enough resources to cybersecurity, with budgets ranging between 5% and 20% of the total IT budget, and the average hovering around 12%.
*Source: Dark Reading, October 02, 2018
How China Used a Tiny Chip to Infiltrate US Companies*:
- In 2015, Amazon.com Inc. began quietly evaluating a startup called Elemental Technologies, a potential acquisition to help with a major expansion of its streaming video service, known today as Amazon Prime Video.
- Based in Portland, Ore., Elemental made software for compressing massive video files and formatting them for different devices. Its technology had helped stream the Olympic Games online, communicate with the International Space Station, and funnel drone footage to the Central Intelligence Agency.
- Elemental’s national security contracts weren’t the main reason for the proposed acquisition, but they fit nicely with Amazon’s government businesses, such as the highly secure cloud that Amazon Web Services (AWS) was building for the CIA.
- To help with due diligence, AWS, which was overseeing the prospective acquisition, hired a third-party company to scrutinize Elemental’s security, according to one person familiar with the process.
- The first pass uncovered troubling issues, prompting AWS to take a closer look at Elemental’s main product: the expensive servers that customers installed in their networks to handle the video compression.
- These servers were assembled for Elemental by Super Micro Computer Inc., a San Jose-based company (commonly known as Supermicro) that’s also one of the world’s biggest suppliers of server motherboards, the fiberglass-mounted clusters of chips and capacitors that act as the neurons of data centers large and small.
- In late spring of 2015, Elemental’s staff boxed up several servers and sent them to Ontario, Canada, for the third-party security company to test.
- Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design.
- Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community.
- Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships.
- And Elemental was just one of hundreds of Supermicro customers.
- During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines.
- Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.
- This attack was something graver than the software-based incidents the world has grown accustomed to seeing.
- Hardware hacks are more difficult to pull off and potentially more devastating, promising the kind of long-term, stealth access that spy agencies are willing to invest millions of dollars and many years to get.
- There are two ways for spies to alter the guts of computer equipment.
- One, known as interdiction, consists of manipulating devices as they’re in transit from manufacturer to customer.
- The other method involves seeding changes from the very beginning.
- One country in particular has an advantage executing this kind of attack: China, which by some estimates makes 75 percent of the world’s mobile phones and 90 percent of its PCs.
- Still, to actually accomplish a seeding attack would mean developing a deep understanding of a product’s design, manipulating components at the factory, and ensuring that the doctored devices made it through the global logistics chain to the desired location—a feat akin to throwing a stick in the Yangtze River upstream from Shanghai and ensuring that it washes ashore in Seattle.
- But that’s just what U.S. investigators found: The chips had been inserted during the manufacturing process, two officials say, by operatives from a unit of the People’s Liberation Army.
- In Supermicro, China’s spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies.
- One official says investigators found that it eventually affected almost 30 companies, including a major bank, government contractors, and the world’s most valuable company, Apple Inc.
- Apple was an important Supermicro customer and had planned to order more than 30,000 of its servers in two years for a new global network of data centers.
- Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards.
- Apple severed ties with Supermicro the following year, for what it described as unrelated reasons.
*Source: Bloomberg Business Week, October 04, 2018
The 6 Most Popular Cyberattack Methods Hackers Use to Attack Businesses*:
- Q2 2018 saw a 47% increase in cyberattacks over Q2 2017, with targeted attacks outnumbering mass campaigns as cybercriminals grow more sophisticated.
- Most cases involved targeted attacks on companies and their clients, as well as cryptocurrency exchanges.
- Data theft is driving an increasing number of attacks, with many criminals seeking personal data (30%), credentials (22%), and payment card information (15%).
- To steal this data, hackers are compromising online platforms, including e-commerce websites, online ticketing systems, and hotel booking sites
- Here are the six most popular cyberattack methods criminals used in Q2 2018:
- Malware (49%) – Cybercriminals continue to steal data from victims' computers, most commonly using spyware or remote administration malware to do so.
- Social Engineering (25%) – Cybercriminals continue to innovate in the social engineering space, developing new methods to manipulate users into believing a message, link, or attachment is from a trusted source, and then infecting targeted systems with malware, stealing money, or accessing confidential information.
- Hacking (21%) – Exploiting vulnerabilities in software and hardware is often the first step in an attack; hackers currently cause the most damage to governments, banks, and cryptocurrency platforms.
- Credential Compromise (19%) – While enterprise users increasingly look to password managers for storing and keeping track of passwords, these managers can also be vulnerable to attack.
- Web Attacks (18%) – Cybercriminals can extort website operators for profit, sometimes by threatening to steal client databases or shut down the website.
- DDoS (5%) – DDoS tends to be the weapon of choice for business rivals, disgruntled clients, and hacktivists; these attacks typically hit government institutions, and political events are a major driver.
- While these are real threats to a business, companies can take several steps to keep their data safe, including centralizing update management, placing antivirus protection on all systems and endpoints, and implementing SIEM capabilities
- Businesses should also encrypt all sensitive information, perform regular backups, minimize the privileges of users and services as much as possible, and use two-factor authentication.
- Enforcing a password policy with strict length and complexity requirements, and requiring password changes every 90 days, can also help protect your systems.
*Source: Tech Republic, October 03, 2018
Amazon Employee Shared Email Addresses With Third Party Seller*:
- In September, Amazon started investigating reports that some of its employees in the US and China have been leaking data to third-party sellers in exchange for money.
- Now, the e-commerce giant has notified affected customers that an employee shared their email addresses with a third-party seller.
- Amazon told The Wall Street Journal that it already fired that particular employee and booted the seller who received the email addresses off the platform.
- More importantly, it said no other customer information other than those addresses were disclosed.
- Amazon didn't clarify whether that former employee was the sole culprit or if they just happened to be the only one caught out of many.
- It also didn't specify where they're from and didn't reveal the real scope of the issue.
- Based on WSJ's previous report, though, sellers have paid Amazon personnel as much as $2,000 for customers' email addresses.
- By knowing customers' personal accounts, the sellers can directly (and maybe even repeatedly) ask them to change or pull negative reviews, since "Verified Purchase" reviews affect products' placement on search results pages.
- In some instances, they reportedly bribed the employees to pull negative reviews. Seeing as several third-party sellers can list the exact same items, placement is crucial in making a sale.
- The company is now asking customers to give it a heads-up if they receive unsolicited emails from sellers, who could offer them free or discounted goods if they go back and change their reviews or give the listing a higher rating.
- By urging customers to do so, those sellers are also contributing to Amazon's fake review problem, which it has been grappling with for years.
*Source: EnGadget, October 06, 2018