The week in cyber security, featuring spying, phishing, ransom minus the ware and at least one ‘destructive’ logic bomb.
The trouble with cyber security is that there is virtually no good press. You don’t make it in the news for fighting off an attempted DDoS attack or for successfully updating and patching your systems. Nobody cares about that stuff. We, as a society, are more interested in the disasters. They may not admit it, but the majority of the people in the stands at a NASCAR race aren’t there to admire the mechanical ingenuity on display, nor are they particularly interested in the beauty of a perfect racing line. They want to see cars go fast and they’ll happily take a crash or two along the way.
Security is no different. People are far more interested in the crashes and the fast, flashy stuff than what’s going on under the hood, or what the computer-equivalent of a perfectly executed pit stop looks like.
So let’s look at some car crashes! Here are the most interesting stories from the past week in cyber security…
Equifax Phishes its Own Customers
The woes just keep on piling up for Equifax. Since announcing its breach, which came as a result of not patching a known vulnerability, the company’s two highest-ranking security officers have retired, researchers have discovered additional vulnerabilities, an additional, earlier breach has also been disclosed and now this: the company has been accidentally tweeting out the address to a fake Equifax phishing website for the past two weeks. Equifax set up a domain called equifaxsecurity2017.com. Unfortunately, the company tweeted out securityequifax2017.com by mistake. That domain was set up by software engineer Nick Sweating. Why? Because it’s funny. But also, education. Fortunately, nobody’s information was actually stolen (this time). But still, Equifax, maybe sit the next few plays out.
Hackers Hold Entire School District for Ransom
There’s a school district in Flathead Valley, Montana that probably needs to put cyber security on the agenda for its next board meeting. The entire district, more than 30 schools, shut down for three days after a group of hackers going by the name, “TheDarkOverlord Solutions,” threatened the district. The group issued death threats to students’ parents and threatened to release personal information belonging to students, teachers, and administrators unless a ransom was paid. The school district re-opened on Tuesday with heightened security. You may know TheDarkOverlord Solutions as the group that unsuccessfully tried to extort Netflix before leaking season five of the show Orange is the New Black. In this instance, the hackers were able to get access to the district’s server and extract students’, teachers’ and administrators’ personal information, including medical records, but whether or not this truly constitutes ransomware is open to interpretation. I tend to view ransomware as involving encryption. Maybe your definition is different. Either way, sending death threats to school kids and trying to extort them with their personal information is repugnant.
[Source: Naked Security]
The GO Keyboard App is Spying on You
If you have the app GO Keyboard installed on your phone you may want to delete it. Security researchers from Adguard have discovered that the app transmits personal information about users to remote servers. This is kind of a big deal for obvious reasons, but it also conflicts with the app’s description, which explicitly states that GOMO Dev Team, the app’s creator, will never collect your personal info. According to Adguard: “Without explicit user consent, the GO keyboard reports to its servers your Google account email in addition to language, IMSI, location, network type, screen size, Android version and build, device model, etc.”
[Source: Beta News]
Logic Bombing the US Army
Mittesh Das of Atlanta, Georgia is looking at a decade-long stint in the slammer following his conviction for “knowingly transmitting malicious code with the intent of causing damage to an Army computer used in furtherance of national security.” Das’ company had recently lost a contract to provide technology to the US Army Reserve. So, in a move he probably now regrets, he installed some malware into the Army Reserve’s payroll system that was designed to delete files and knacker services. The malware was a “logic bomb,” designed to go off at a certain date, in this case after the government contract was handed over to another company. The remediation effort cost the army $2.6-million. Das will be sentenced January 9.
[Source: The Register]
46,000 New Phishing Sites Created Each Day
According to Help Net Security, using data provided by WebRoot, there is an average of 1.385 million new phishing sites created every month, with May 2017 owning the record (2.3 million). In addition to being created at such a rapid pace, phishing sites are becoming more sophisticated, complete with convincing layouts, URLs designed to elide convincingly in modern browsers and even SSL certificates to add a layer of legitimacy. We cover phishing a lot here at Hashed Out, and the ingenuity on display with some of these attempts is staggering. And it can happen to anyone. So remember, always be vigilant when opening emails and following links.
[Source: Help Net Security]
SEC Breach Could Jeopardize TRILLIONS
Remember yesterday we reported that the SEC had disclosed a 2016 breach in which insider information had been accessed? Well, it’s kind of a big deal. According to Security Expert Morgan Wright, it could impact “trillions of dollars.” I didn’t write this yesterday, but the thought certainly crossed my mind that burying this disclosure in a larger statement seemed a little bit sneaky. Well, it turns out a lot of people viewed it that way. We’re beginning to hear rumblings from Congress over this, I imagine this story is going to snowball pretty quickly. The SEC should probably get ready to provide testimony to Congress and oversight to investigators because this is just getting started.
[Source: Fox Business]