It’s been another hectic week in the world of Infosec / IT security / Cyber Security (choose as appropriate). So let’s jump straight into it.
Iran is building up its cyber capabilities and the emergence of a group of hackers, dubbed APT33, has given rise to concerns the nation's cyberwarfare units are looking to launch destructive attacks on critical infrastructure, energy and military bodies.
- Meet APT33: A Gnarly Iranian Hacker Crew Threatening Destruction |Forbes
- Threat data, IOCs and information on APT33, aka greenbug | OTX
Data breaches and Class action lawsuits
Should individuals whose data has been breached have the right to sue companies? It’s a tricky question, and one that the courts are seemingly having trouble on deciding on. Recently, a judge dismissed two consolidated class actions by more than 21m federal employees who had information breached by the Office of Personnel Management (OPM). The Judge concluded that the federal employees could not establish their threshold right to sue in federal court because they had not shown they faced imminent risk of identity theft, even though nearly two dozen of those named in the class actions claimed their confidential information has already been misused.
Hopefully things will change going forward. The problem with identity theft is that it’s not time-dependant. An attacker could hoard details for a long period before committing a crime. And even when an identity is stolen, it is difficult to tie back to where the breach occurred.
- OPM Data Breach Lawsuit Tossed, Fed Plaintiffs will Appeal | Dark Reading
- OPM Says Gov't Workers' Data Breach Suit Fails | Law360
- In the long run, class actions may not be the best way to redress data breaches | Reuters
- My three years in identity theft hell | Bloomberg
The Ghost of Windows XP
As the lyrics go, “They stab it with their steely knives, but they just can’t kill the beast.” In this case, the beast seems to be Win XP, which, despite being woefully outdated, continues to make its presence felt.
The latest announcement being that a fifth of the Manchester police department are running Win XP.
- Manchester police still relies on Windows XP | BBC
- Manchester Police are using Windows XP on one in five computers | V3
When insurance goes too far
Melina Efthimiadis along with her husband wanted to add personal umbrella liability insurance to their Nationwide homeowner's policy. She says they have been low risk clients so she didn't think it would be a problem. In the application process for Nationwide, Melina says they had to write down the number of dogs they owned and their breeds, which are Shih Tzu/ Yorkie, a Hound and Hound/Lab mix. Melina says they waited for approval, but instead got a cancellation letter from Nationwide. She says the reason, "We were being cancelled because we had an ineligible dog breed that we failed to disclose."
SEC discloses breach that may have enabled insider trading
Hackers may have used information stolen from the US financial regulator to make "illicit gain" through insider trading, the body's chairman admitted.
A flaw in the software used to file sensitive corporate information with the US Securities and Exchange Commission (SEC) was exploited in 2016, according to a statement from Jay Clayton.
However, it was not until August 2017 that the agency realised criminals may have used the hack to give themselves an advantage on the stock market.
- SEC Discloses Breach That May Have Enabled Insider Trading | Fortune
- SEC Says Hackers Breached Its System, Might Have Used Stolen Data for Insider Trading | Bleeping Computer
- US SEC suspects hackers used stolen insider info for trading | engadget
Befriending your hacker
A very interesting account that’s less about hacking, and more about personal relationships and how social media has changed interactions in ways people could never have envisaged.
Data breaches: Fear, outrage, or apathy?
A really good post about the feelings one feels when they discover their data has been compromised in a breach.
Based on the CPM work that exists, I believe this inability to negotiate and control how these entities use and protect private information leads to both the short-term outrage and long-term apathy when PII is lost in a data breach. After a data breach, when people ask questions like "why did you still have this data?" or "why wasn't it better secured?" they're basically saying that the co-owners of their PII (whoever got breached) violated their expectations for how that private information should be handled.
Detecting ATM skimmers
The people over at Sparkfun have made an app that searches for nearby Bluetooth devices that may be ATM or gas pump skimmers. The blog post goes into great detail about how skimmers are designed and operate and is well worth the read.
- Gas Pump Skimmers | Sparkfun
CCleanup: A Vast Number of Machines at Risk
Users of Avast-owned security application CCleaner for Windows have been advised to update their software immediately, after researchers discovered criminal hackers had installed a backdoor in the tool. The tainted application allows for download of further malware, be it ransomware or keyloggers, with fears millions are affected. According to Avast's own figures, 2.27 million ran the affected software, though the company said users should not panic.