Lots of important security updates this week–including a great “top 10” list of cybersecurity predictions for 2017 and a list of the top 7 data breaches in 2016.
But first, I’d like to share this excellent article from The Lane Report, for which I served as an expert resource. In it, author Robin Roenker outlines security guidelines for data backup, the Internet of Things, foundational security protections, phishing and ransomware avoidance, and employee training.
Scam of the Week: Cybersecurity Predictions for 2017
Top 10 Cybersecurity predictions for 2017 (in alphabetical order)
1) ARTIFICIAL INTELLIGENCE.
Machine Learning and AI *will* move forward with lightning speed. You will be able to talk to supportbots and not know if it is a human or not. You will also see fully programmable digital avatars going into commercial use.
2) BLOCKCHAIN
Micropayments and Blockchain applications will go mainstream in 2017. Mobile payments will grow massively, and apps will use “micro-payments” built on digital protocols like the Blockchain. Perhaps Blockchain will allow us to vote from our own devices in the next election. We will see the first smart contracts built on Blockchain.
Ransomware-as-a-Service will become a major threat vector, with a new technical feature using Blockchain to deliver the decryption keys after ransom payment.
3) BOARD ROOM
During 2016, boards of directors have realized that InfoSec Risk Management is an enterprise risk equivalent to financial, reputational, and legal risk. In 2017, there will be a raft of boards demanding a corporate security culture starting from the C-level down.
4) CEO FRAUD aka BUSINESS EMAIL COMPROMISE
CEO fraud was the up and coming cyberfraud scheme right after ransomware these last 12 months. During 2017 it will be an epidemic, equaling the ransomware plague we are suffering now. Remember the Nigerian prince scams? These cyber gangs are really in Nigeria, but they have climbed up in the criminal food chain and CEO fraud is their focus now.
5) ESPIONAGE
During 2017 it will become apparent that espionage will turn out to have gone massively mobile and nobody knew about it. Revelations about both Android and iPhone devices will show they have had 0-days for several years and the NSA was able to own any device they wanted at any time.
6) INTERNET OF THINGS
A major outage caused by a purely malicious Botnet of Things like Mirai will prompt the new U.S. Administration to enforce IoT device security standards and require certification from device vendors.
7) MOBILE MALWARE
Mobile malware will continue to grow at an exponential rate. During 2017 tens of millions of smartphones will be infected with auto-rooting malware. New strains can embed themselves in a phone’s bootloader and remain persistent even after factory reset. Scary.
8) OPEN SOURCE
In 2017 we will see a very high-profile data breach based on an open source vulnerability that was disclosed in…wait for it… 2012. The average age of an open source vulnerability in commercial applications is more than five years, and almost everyone is using Open Source these days. Ouch.
9) RANSOMWARE
We have seen exponential ransomware infections in 2016, and this trend will continue in 2017. There are close to 250 different families at this point, this will triple in the next 12 months.
Locky will be the first strain with 1 billion dollar in criminal revenues. Organized Eastern European cybercrime will continue to specifically target health care, education and local government with updated ransomware strains.
10) STATE SPONSORED HACKING
Look, we have a low-grade cyberwar and massive cyber arms-race going on. It’s simmering and now and then it flares up, basically with proof-of-concept attacks, except for Stuxnet which was the real deal. In 2017 we may very well see the first major real-world damage caused by state-sponsored hacking.
So Good riddance of terrible 2016 which topped all others years in total records stolen.
Unfortunately in most respects, 2017 won’t change much: untrained users will still click on malicious links and open infected attachments. IT will still have trouble with patching. The bad guys will still attack and bad news from data breaches will continue. Cyberattacks will become increasingly destructive.
What matters most is whether your organization will be a victim or not. Of course you could do nothing, and be lucky. But the only way to control your destiny is make your organization a hard target based on a top-down, security-first culture.
Remember, Think before you click!
https://www.beyondtrust.com/blog/ten-cyber-security-predictions-2017/
Security Headlines
Expedia I.T. guy made $300K by hacking own execs
A former Expedia IT professional admitted on Monday to illegally trading on secrets he discovered by hacking his own company’s senior executives.
Jonathan Ly stole passwords and infiltrated devices of Expedia’s (EXPE) chief financial officer and head of investor relations, allowing him to make a series of “highly profitable” trades in stock options that scored him $331,000, according to prosecutors.
https://money.cnn.com/2016/12/05/technology/expedia-hack-insider-trading-sec/index.html
HealthcareinfoSecurity – HHS Offers Tips on Mitigating DDoS Risks
Federal regulators have issued an alert urging healthcare sector organizations to take specific steps to prevent falling victim to distributed denial-of-service attacks.
Signs to Watch For
OCR notes that while not all disruptions to service are the result of a DDoS attack, the U.S.-Computer Emergency Readiness Team warns that the following network or computer symptoms could indicate a DDoS attack:
- Unusually slow network performance, such as when opening files or accessing websites
- Unavailability of a particular website
- Inability to access any website
- Dramatic increase in the amount of spam received in a technology account
https://www.healthcareinfosecurity.com/hhs-offers-tips-on-mitigating-ddos-risks-a-9585
BankinfoSecurity – IoT Botnet Plague: Coming Soon to an ISP Near You
Coming soon to an internet service provider near you: routers infected by internet-of-things botnet-building malware such as Mirai.
Issued routers that contain a vulnerability now being exploited by at least one Mirai variant. Security researchers say the vulnerability appears to relate to a poor implementation of the TR-064 “LAN-Side DSL CPE [Consumer Premises Equipment] Configuration” protocol in its routers.
https://www.bankinfosecurity.com/blogs/iot-botnet-plague-coming-soon-to-isp-near-you-p-2339
BankinfoSecurity – Bangladesh Bank Heist Probe Finds ‘Negligent’ Insiders
An internal investigation into the February theft of $81 million from the central bank of Bangladesh reportedly found that a handful of negligent and careless bank officials inadvertently helped facilitate the heist by outside hackers.
https://www.bankinfosecurity.com/bangladesh-bank-heist-probe-finds-negligent-insiders-a-9586
KrebsonSecurity – Researchers Find Fresh Fodder for IoT Attack Cannons
New research published this week could provide plenty of fresh fodder for Mirai, a malware strain that enslaves poorly-secured Internet of Things (IoT) devices for use in powerful online attacks. Security firm “SEC Consult” said it found two apparent backdoor accounts in Sony IPELA Engine IP Cameras. According to SEC Consult, the two previously undocumented user accounts — named “primana” and “debug” — could be used by remote attackers to commandeer the Web server built into these devices, and then to enable “telnet” on them.
https://krebsonsecurity.com/2016/12/visa-delays-chip-deadline-for-pumps-to-2020/
Darkreading – The 7 Most Sensational Breaches Of 2016
IRS
IRS refund fraud has been on the rise in recent years, so it was no big surprise that just as the tax season got into full swing this year the IRS announced an attack it experienced that put its anti-fraud measures into question. The agency reported that criminals had compromised its e-fil PIN reset system and managed to get their hands on more than 101,000 of these PINs in the hopes of taking over taxpayers’ accounts and filing fraudulent returns.
Yahoo
While 2016 seems to have seen a drop-off in the mega breaches of the last several years, Yahoo managed to satisfy the schadenfreude quotient with the announcement of a massive breach that impacted over 500 million user account credentials. The cause of the breach is still anyone’s guess, though we do know that its origins were positively ancient for a newly announced exposure, occurring way back in 2014. Yahoo is already facing 23 class action lawsuits over the breach.
DNC Hack
Perhaps one of the most impactful breaches of the decade – the compromise of the Democratic National Committee email system and the subsequent data dump by WikiLeaks – had far-ranging political ramifications. Whether it was the Russians, Guccifer or anyone else is still up for widespread debate, though by most accounts the security was so minimal that it could have been anyone. Regardless of who leaked the emails, their contents contained plenty of damaging fodder that many pundits believe contributed to Hillary Clinton’s downfall in the presidential election.
Illinois and Arizona Boards of Election
Speaking of cybercrime’s impact on elections, experts are still trying to get a handle on the implications of a pair of attacks against the state boards of elections for both Illinois and Arizona. Illinois confirmed that hackers compromised a database containing up to 200,000 voter records with names, addresses, sex and birthdays, plus social security numbers and drivers’ license numbers. Similar information was compromised in Arizona, though officials there didn’t disclose how many records were impacted. In the wake of a controversial election, the shadow of these attacks will linger over the results, particularly as some experts air their suspicions that these attacks came at the hands of Russian hackers
SWIFT Network
When news hit earlier this year that Bangladesh Bank had been snared by an audacious cyber heist that had attackers successfully abscond with $81 million in fraudulent transfers, it seemed the attack was a brilliant but isolated play against the firm’s systems. But in the ensuing months, news broke from Reuters that the attack was part of a larger-scale campaign by attackers to subvert the SWIFT messaging system used by global banks to send instructions for money transfers. Investigators have been looking into incidents at approximately a dozen banks and SWIFT is on alert to improve security practices at member banks that could lead to losses similar to those experienced by Bangladesh Bank.
San Francisco Municipal Transportation Agency
The past year was dominated by ransomware infections. The attackers are getting creative and the stakes are getting higher, as most recently illustrated in the Thanksgiving weekend attacks against the San Francisco Municipal Transportation Agency. Not only did attackers compromise personal information about employees and customers of the agency, but they also locked kiosks and computers for the agency for two days, forcing it to give free rides during that time or risk service interruptions.
FACC
This particular case will probably provide plenty of fodder for security vendors’ marketing collateral for years to come. FACC, a Boeing supplier, suffered from a spearphishing attack that enabled attackers to carry out a fraudulent $55 million money transfer that sent the company’s stock in a tailspin and completely destroyed the company’s ability to make a profit in 2016. It’s a worst-case security scenario trifecta: millions of dollars stolen, a CEO and CFO fired as a result of the hack, and a root cause that ultimately came down to executives getting duped by simple social engineering through spoofed emails.
https://www.darkreading.com/endpoint/the-7-most-sensational-breaches-of-2016/d/d-id/1327636
Vendor Information
Sophos – Windows XP ‘still widespread’ among healthcare providers
A report in Infosecurity Magazine reveals that 90 percent of NHS Trusts still run Windows XP. The publication cites a Freedom of Information Act request from Citrix in which more than half of respondents weren’t sure when they’d upgrade to a newer OS. Some 14% thought they’d do so by year’s end and 29% expressed hope that they’d shift to a more modern version of Windows at some point in 2017.
https://nakedsecurity.sophos.com/2016/12/09/windows-xp-still-widespread-among-healthcare-providers/
Cisco – Impact: HIGH – Cisco IOS and IOS XE Software IPv6 First Hop Security Denial of Service Vulnerabilities
Two vulnerabilities in the IPv6 first hop security feature of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload.
Cisco has released software updates that address these vulnerabilities. This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150923-fhs
Cisco – Impact: HIGH – Cisco IOS Software and IOS XE Software Internet Key Exchange Version 2 Denial of Service Vulnerabilities
Devices running Cisco IOS Software or IOS XE Software contain vulnerabilities within the Internet Key Exchange (IKE) version 2 subsystem that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
The vulnerabilities are due to how an affected device processes certain malformed IKEv2 packets. An attacker could exploit these vulnerabilities by sending malformed IKEv2 packets to an affected device to be processed. A successful exploit could allow the attacker to cause a reload of the affected device or excessive consumption of resources that would lead to a DoS condition. IKEv2 is automatically enabled on devices running Cisco IOS and Cisco IOS XE Software when the Internet Security Association and Key Management Protocol (ISAKMP) is enabled. These vulnerabilities can only be triggered by sending malformed IKEv2 packets. This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-ikev2
Security Bulletins from the FBI
FBI – Joint Cyber Operation Takes Down Avalanche Criminal Network
It was a highly secure infrastructure of servers that allegedly offered cyber criminals an unfettered platform from which to conduct malware campaigns and “money mule” money laundering schemes, targeting victims in the U.S. and around the world.
But the Avalanche network, which was specifically designed to thwart detection by law enforcement, turned out to be not so impenetrable after all. And late last week, the FBI took part in a successful multi-national operation to dismantle Avalanche, alongside our law enforcement partners representing 40 countries and with the cooperation of private sector partners. The investigation involved arrests and searches in four countries, the seizing of servers, and the unprecedented effort to sinkhole more than 800,000 malicious domains associated with the network.
It’s estimated that Avalanche was responsible for as many as 500,000 malware-infected computers worldwide on a daily basis and dollar losses at least in the hundreds of millions as a result of that malware.
https://www.fbi.gov/news/stories/joint-cyber-operation-takes-down-avalanche-criminal-network