Info Security
Gaming Giant EA Suffers Major Data Breach
Hackers have stolen a wealth of data from gaming giant Electronic Arts (EA), including game source code and tools for several popular games, it has been reported.
Cyber-criminals made the claim in blog posts published on underground hacking forums, where they advertised a total of 780GB of data for sale. These posts were viewed and detailed by Motherboard, who EA informed that it had indeed suffered a data breach.
Among the data stolen was the source code for the popular football game FIFA 21 and code for its matchmaking server, and source code and tools for the Frostbite engine, which powers several EA games, including Battlefield. Additionally, the attackers took proprietary EA frameworks and software development kits.
Fortunately, it appears that hackers stole no personal data of customers in the breach, and EA told Motherboard that it does not expect the attack to impact “our games or our business.” This means that players should not be at an increased risk of cyber-attacks, phishing or identity theft.
Tom Van de Wiele, the principal security consultant at F-Secure, explained that the biggest impact of the data theft could that it offers valuable information for EA’s competitors to exploit. He said that “The EA source code and tools have a surprisingly high value to any company that operates in the shadows and want to get a leg up in competing with the bigger game development companies. Being able to steal an algorithm, approach, or game assets themselves and integrate them fast means not having to develop them on your own and means money and effort is saved that can be directed somewhere else. Especially when those games are released to a limited target group or platform where it is almost impossible to prove any wrongdoing or theft of intellectual property.”
Sam Curry, chief security officer at Cybereason, commented: “Oftentimes, there isn’t a lot of good news or optimism resulting from another global giant being breached. However, in the case of EA, they deal in petabytes of information so the reported amount of stolen data is relatively small in the gaming world. I’m not trying to diminish or minimize this compromise as the source code used to develop EA’s popular games has value to competitors and threat actors looking to sell the info on the darkweb.”
Curry also urged EA to share as many details as possible about how the breach occurred. “From initial reports, customer info, financial info or other proprietary information hasn’t been stolen. Behind the scenes, the threat actors either didn’t ultimately get where they wanted to in the network, or the good guys discovered the compromise early enough to limit the damage,” he said.
“EA should continue to be transparent, share as many details as possible and use this compromise as an opportunity to educate other companies in need of improving their own security hygiene. We should all look forward to hearing more from EA relating to this compromise and they have the opportunity to play the role of hero in this situation, as the role of villain or victim isn’t an option.”
Hackers have increasingly targeted the gaming industry in recent years due to its surging popularity. Researchers revealed they discovered 500,000 breached employee credentials and a million compromised internal accounts on the dark web from gaming firms earlier this year.
#G7UK: UK and US Strike New Agreements on Cybersecurity
The UK and US governments have agreed to work together more closely to tackle cybercrime as well as enhance the security of supply chains and emerging technologies. The announcement has come amid US President Joe Biden’s visit to the UK for the G7 summit, which has started today.
The partnership will be built within the framework of the revitalized Atlantic Charter, first introduced in 1941, and will cover a range of areas in science and technology, including cybersecurity.
The two nations stated that they intend to cooperate to enhance the resilience and security of critical supply chains, battery technologies and emerging technologies such as AI and quantum. This forms part of their desire to ensure the full potential of future technologies like quantum and 6G are realized in the future.
Additionally, the two governments aim to improve the accessibility and flow of data to support economic growth, public safety, and scientific and technological progress.
More generally, the agreement emphasized the need to ensure liberal and democratic values are embedded into the design and standards governing technology globally. This is an issue that the director of GCHQ, Jeremy Fleming, highlighted in a speech back in April this year.
UK digital secretary, Oliver Dowden, commented: “In the 80 years since the Atlantic Charter was signed, technology has changed the world beyond recognition. But the goals that underpin it still bind the US and UK together today: support for democracy, open societies and free markets.
“Today's announcement marks a new era of cooperation with our closest ally, in which we commit to using technology to create prosperity and guarantee the safety and security of our citizens for years to come.”
Following the announcement, in an interview published in The Daily Telegraph last night, the UK foreign secretary, Dominic Raab, also revealed that the UK and US will work more closely together to “take the fight to cyber-criminals,” especially those targeting vital services like schools and hospitals.
Commenting, Charlie Smith, consulting solutions engineer at Barracuda Networks, said: “This announcement marks a turning point for the war on cyber-criminals, with the UK and US joining forces to root out and bring those responsible to justice. The sharp rise in ransomware attacks against schools, hospitals, local councils, and other critical national infrastructure cannot be underestimated and a concerted effort needs to be made to protect and secure these vital organizations from increasingly brazen attacks.”
Unknown Attacker Chains Chrome and Windows Zero-Days
Security researchers warn of a series of highly targeted attacks designed to compromise victim networks via Google Chrome and Microsoft Windows zero-day exploits.
The attackers are thought to have first exploited the now-patched CVE-2021-21224 remote code execution bug in Chrome.
“This vulnerability was related to a Type Mismatch bug in the V8 — a JavaScript engine used by Chrome and Chromium web-browsers,” explained Kaspersky. “It allows the attackers to exploit the Chrome renderer process: the processes that are responsible for what happens inside users’ tabs.”
The second stage was an elevation of privilege exploit linked to two separate vulnerabilities in the Microsoft Windows OS kernel. The first, CVE-2021-31955, can lead to the disclosure of sensitive kernel information, while the second, CVE-2021-31956, is a heap-based buffer overflow bug.
Kaspersky claimed that attackers CVE-2021-31956 alongside the Windows Notification Facility (WNF) to create arbitrary memory read/write primitives and execute malware modules with system privileges.
Once they’ve gained a foothold in victim networks by exploiting these three flaws, the stager modules execute a more sophisticated malware dropper from a remote server, which in turn installs to executables masquerading as legitimate Windows files.
One of these is a remote shell module designed to download and upload files, create processes, lie dormant for periods of time, and delete itself from the infected system, Kaspersky said.
Microsoft patched both vulnerabilities in this week’s Patch Tuesday security update round while Google has already fixed the Chrome flaw.
The research team has yet to link the attacks to any known threat actor, so is dubbing the group behind it “PuzzleMaker.”
“Overall, of late, we’ve been seeing several waves of high-profile threat activity being driven by zero-day exploits. It’s a reminder that zero days continue to be the most effective method for infecting targets,” argued Boris Larin, senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).
“Now that these vulnerabilities have been made publicly known, it’s possible that we’ll see an increase of their usage in attacks by this and other threat actors. That means it’s very important for users to download the latest patch from Microsoft as soon as possible.”
China's New "Anti-Sanctions" Law Means Headache for Foreign Firms
Western tech firms and other multinationals with a big presence in China could soon find themselves in a difficult position after Beijing passed new retaliatory sanctions laws.
The move is widely seen as a reaction to a string of sanctions put in place by the US and allies in recent months over human rights abuses in Xinjiang and the muzzling of democracy protests in Hong Kong.
The new law passed on Thursday will reportedly enable the government to put individuals or entities on an “anti-sanctions list” if they comply with sanctions from the US and other countries that displease Communist Party leaders.
These individuals and businesses may be denied entry to China, expelled from the country, have assets seized or frozen or be banned from doing business there.
It’s the latest sign of China using its economic might to push back against what it sees as unfair foreign interference in sovereign matters.
However, it could place foreign companies in an impossible situation and force many to choose sides between the world’s two superpowers.
The law was reportedly rushed through China’s rubber-stamp legislature, the National People's Congress (NPC), without a third reading.
Also yesterday, China issued a second draft of a new Data Security Law which will restrict outward flows of “important” data from critical infrastructure (CNI) and non-CNI firms operating in the country — subjecting them to a security review process.
Purportedly, new rules could also prevent foreign companies from disclosing information on their Chinese subsidiaries to a foreign law enforcement agency or court.
Legal analysts have warned that much will hinge on how the authorities interpret the vague term “important.”
Quantum Breakthrough in Britain Creates 600km Secure Link
Long-distance quantum-secured data transfer took a step closer this week after Toshiba announced that scientists in the UK have managed to produce a stable prototype that works over 600 kilometers.
Quantum computing is often described as a potential security challenge in that, once states can engineer working machines, they could theoretically crack any public-key cryptography system.
However, the technology could also be used to mitigate this risk by producing “unhackable” information streams using quantum key distribution (QKD).
This is a technology Toshiba Europe scientists are working on in Cambridge. Photons are encoded and transmitted for key generation. Still, if the stream is interrupted by an eavesdropper, the unique properties of quantum physics mean that the sender will be alerted, and it is instantly scrambled.
Up until now, the main challenge in achieving QKD has been the fragility of qubits, or quantum particles, which means that they could be scrambled unintentionally if the fiber cables they’re transmitted through experience temperature or other changes.
Toshiba used a new “dual band” stabilization technique to tackle this.
“This sends two optical reference signals, at different wavelengths, for minimizing the phase fluctuations on long fibers. The first wavelength is used to cancel the rapidly varying fluctuations, while the second wavelength, at the same wavelength as the optical qubits, is used for fine adjustment of the phase,” it said.
“After deploying these new techniques, Toshiba found it is possible to hold the optical phase of a quantum signal constant to within a fraction of a wavelength, with a precision of 10s of nanometers, even after propagation through hundreds of kilometers of fiber. Without cancelling these fluctuations in real-time, the fiber would expand and contract with temperature changes, scrambling the quantum information.”
Using this dual band technique has enabled the research team to implement the so-called Twin Field QKD at distances around three times longer than existing commercial QKD systems.
Secure information exchange of this sort could one day be used to support an entire “quantum internet” of interconnected quantum computers. Given the huge variety of potential applications, the US, EU and China are throwing vast sums of money at such projects.
“QKD has been used to secure metropolitan area networks in recent years. This latest advance extends the maximum span of a quantum link so that it is possible to connect cities across countries and continents without using trusted intermediate nodes,” said Andrew Shields, head of the Quantum Technology Division at Toshiba Europe.
“Implemented along with Satellite QKD, it will allow us to build a global network for quantum secured communications.”
IT Administrator Sentenced for Sabotaging Employer
Lockdown hasn't ended for one vengeful IT professional who carried out a cyber-attack against his former employer.
Levi Delgado, of Middletown, Delaware, was sentenced on Wednesday to home confinement after hacking into a company's computer network, deleting its data and disabling user accounts.
The 36-year-old cyber-criminal had been employed as an information technology administrator at a medical center that provides care to under-served communities, but the medical center terminated Delgado’s employment in August 2017.
After losing his job, Delgado's access to the medical center’s computer network was revoked and the credentials that had allowed him to log in to it were disabled.
Four days after his termination, Delgado hooked up a personal laptop and accessed the medical center’s computer network without authorization via an administrator account.
After illegally entering the network, Delgado deleted the medical center’s employee user accounts, disabled its computer accounts, and also deleted its file server.
Delgado’s criminal actions prevented the medical center’s employees from logging in to their computers and blocked them from accessing patient files necessary to conduct operations.
While no patient personal health information was compromised or accessed, patient appointments and treatments had to be rescheduled because of Delgado's cyber-sabotage.
Delgado pled guilty in February 2021 to one count of causing damage to a protected computer.
Yesterday, Leonard Stark, chief United States district judge for the district of Delaware, sentenced Delgado to six months of home confinement and ordered him to pay over $13,000 in restitution.
The case was investigated by the FBI-Baltimore Division’s Cyber Task Force and was prosecuted by Assistant US Attorney Jesse Wenger.
“What Mr. Delgado did was not only intentional, reckless and petty, but also caused a severe disruption in medical care in an underserved community,” said Rachel Byrd, acting special agent in charge of the FBI-Baltimore Field Office.
“Computer intrusion is a crime and the FBI, and our law enforcement partners, will continue to pursue those who compromise, mishandle or disrupt computer networks.”
Weiss added that their office "is committed to prosecuting any individual who thinks attacking a former employer’s computer network is an acceptable reaction to getting fired.”
Arrest Made Over Multi-million-dollar BEC Scam
Texas law enforcement officers have made an arrest in connection with a multi-million-dollar wire fraud and money laundering scheme involving Business Email Compromise (BEC).
Guillermo Perez was taken into custody Wednesday morning for allegedly defrauding businesses and individuals of more than $2m through cyber-scams and bank fraud schemes.
An indictment unsealed on June 9 accuses 26-year-old Houston resident Perez of participating in the illegal scam from at least October 2018 to October 2019.
Perez is accused of impersonating individuals and businesses over email in the course of otherwise ordinary financial transactions. While posing as someone else, Perez allegedly tricked victims into transferring funds into bank accounts controlled by him and his co-conspirators.
As part of the alleged scheme, Perez provided banks with false and misleading information regarding his and his co-conspirators’ affiliations, then tricked the banks into opening business bank accounts that were fraudulent.
Victims of the BEC scheme, who were unaware that they were acting on false and misleading misrepresentations made by Perez and his co-conspirators, wired more than $2.2m into the fraudulent bank accounts.
It is alleged that Perez and his co-conspirators, knowing that the transferred cash represented fraud proceeds, moved it out of the fraudulent bank accounts in transactions designed to conceal and disguise its origins and ownership.
The arrest of Perez was announced yesterday by Audrey Strauss, the United States attorney for the Southern District of New York, and Peter C. Fitzhugh, the special agent-in-charge of Homeland Security Investigations (HSI) in New York.
He is charged with one count of conspiracy to commit wire fraud and bank fraud, which carries a maximum sentence of 30 years in prison. Perez is also charged with one count of conspiracy to commit money laundering, which carries a maximum sentence of 20 years in prison.
In a statement issued yesterday, the US Attorney's Office wrote that Strauss praised the investigative work of HSI in the Perez case.
The prosecution is being handled by the Money Laundering and Transnational Criminal Enterprises Unit. Assistant United States attorneys Emily Deininger and Tara La Morte are in charge of the prosecution.
Texas to Publish Data Breach Notifications
Lawmakers in Texas have passed a bill requiring notices to be published online of any data breaches involving the personal information of 250 or more Lone Star State residents.
The unanimously passed House Bill 3746, which amends the Texas Business and Commerce Code §521.053, requires the Texas Attorney General's Office to post the breach notifications to its public-facing website.
Notifications must be uploaded to the website within 30 days of receipt, and listings of organizations impacted by a data breach must remain in place for a period of 12 months.
A listing will only be removed if the individual or company does not suffer any further data breaches affecting 250 or more Texas residents during the year-long listing period.
Under current Texas law, notifications that a security system has been breached must be sent to the state Attorney General within 60 days of detection.
Included in the breach notice must be a detailed description of the scope of the breach, how it happened, and what sensitive information may have been compromised, exfiltrated, stolen or deleted in the security incident.
Though it may not be a final tally, another detail that must be included in the data breach notice is the number of individuals known to be impacted by the breach at the time it is reported to the State Attorney General.
Breached individuals and organizations cannot simply report a data breach incident to the Attorney General's Office and walk away. Their notice must include a description of what measures were taken to mitigate the breach and details of what future actions will be taken regarding the incident.
The Office must be informed as to whether law enforcement has been notified and is investigating the breach. It must also be instructed over how many Texas residents have been notified about the breach, by mail or another direct method of communication, at the time the incident is reported.
Before it becomes law, the bill must be signed by Texas governor Greg Abbott. Should it be graced with Abbott's signature, the law will take effect from September 1, 2021.
By passing the new bill, the Texas Legislature has followed in the footsteps of California and Maine.
#Infosec21: Lack of Vision Explains Cyber Skills Shortage
The cybersecurity skills gap is caused by a lack of vision in the industry rather than it being a pipeline problem, argued Wendy Nather, head of advisory CISOs at Cisco, during her keynote address on day three of the Infosecurity Europe virtual conference.
Nather, who was recently inducted into the Infosecurity Hall of Fame, believes it is a complete misnomer that there is a lack of talent available to fill the expanding number of security roles. Instead, it is down to the industry “to open our eyes and see what’s in front of us, namely that there are sources of great security talent everywhere.”
Nather then showed a collage of high profile security professionals representing a range of demographics, including those often not associated with technical IT skills, such as older people. She said this demonstrates that anyone from any walk of life has the potential to be successful in the sector.
She added that it is vital to recognize that there is a range of pathways into the security industry, and it is quite possible to move across from a completely different profession. “They just need to be able to innovate and then they can learn the technology,” outlined Nather. “People are capable of learning all sorts of things; you don’t have to go for the person who is exactly like the last person you had in this position."
In fact, it is a great advantage to a security team to have personnel from different backgrounds and experiences. Nather gave the example of hiring a man called John Skaarup, an army veteran of 21 years, based on the mindset he demonstrated during her interview with him. Nather said that “he turned out to be one of the best security colleagues that I have ever had” and is now a cybersecurity officer, running the security operations center at the Texas Department of Transportation.
Nather then offered advice on how those involved in the hiring of security personnel can adapt their practices to open their doors to a much wider pool of talent. She observed that there are already highly knowledgeable people familiar with security but whose skills are not recognized for various reasons. These include the way they speak – if they do not use traditional security terminology. Nather commented: “Just because they don’t know the right lingo doesn’t mean they don’t know the concepts and that they can’t apply their skills.”
Nather also said that organizations need to be more careful about how they word their job descriptions, as they can often come across as overly restrictive to many good candidates. This includes postings asking for “ridiculous amounts of experience” in relatively new areas, like Kubernetes.
She added that this was a particular issue for candidates from underrepresented groups as they are “less likely to apply for positions where they fit the description 100%.” Therefore, asking for too many qualifications risks “cutting out the person who you need for your team.” To help prevent this situation from occurring, Nather believes that senior security personnel should be making this case loud and clear and “fight for latitude in hiring.”
In addition, a greater emphasis on soft skills should be made during the hiring stage, according to Nather. She argued that these types of attributes are just as valuable to an organization as the specific technical expertise, as the right people will be able to add these such skills to their repertoire in any case. For instance, she believes more value should be put on “tact, collaboration, the ability to explain things to anybody using very small words or the talent to be able to create something that people enjoy using.”
Concluding, Nather offered some takeaways for how the cybersecurity industry can grow the skills pipeline and diversify the people working within it. These include taking the initiative to discover and meet people from underrepresented groups rather than simply posting a job online. “To find the best people, you have to put in the work,” she explained.
Finally, Nather provided what she regarded to be the most crucial takeaway of the presentation, which is to recognize that “what I knew back then doesn’t matter now.” Simply put, the cybersecurity industry is evolving so quickly that the ability to adapt and learn new skills now is more important than past experiences in the field. She concluded: “What matters now is that we are all on the same starting line - we are all in the same race to learn. So look for the people you want to run with.”
Schools Forced to Shut Following Critical Ransomware Attack
Two schools in the south of England have been forced to temporarily close their doors after a ransomware attack that encrypted and stole sensitive data.
The Skinners' Kent Academy and Skinners' Kent Primary School were attacked on June 2, according to a statement on the trust’s website which said it is currently working with third-party security experts, the police and the National Cyber Security Centre (NCSC).
It revealed that on-premise servers were targeted at the Tunbridge Well-based schools. As student and staff emergency contact details, medical records, timetables and registers were encrypted by the attackers, the decision was taken to close on Monday.
“Data stolen includes: a wealth of teaching resources, school trip information, policies, human resources files and a significant amount of staff data, some student data including medical information and data pertaining to our iPad scheme,” an FAQ statement noted.
“Data encrypted (and therefore not accessible to the school anymore) includes our management information system, which contains the bulk of contact details for parents. Therefore, it is the latter that we have had to ask parents to re-submit to the trust.”
Students and parents have been advised to change any passwords, and parents have been told to inform their bank that account information may have been taken.
“The details of bank accounts may have been accessed through details taken for the iPad scheme for example,” the trust said.
The news comes just days after the NCSC warned of a surge in ransomware attacks on the UK’s education sector. It claimed that phishing, RDP hijacking, and targeting vulnerabilities in VPNs and other systems were the primary attack vectors.
“As a result of the pandemic, schools have shifted to remote and hybrid learning, leading to an increase in the types of devices accessing the school’s cloud-based servers to attend classes and complete schoolwork,” argued Lookout security engineer, Burak Agca.
“A lack of visibility and a high degree of fragmentation in operating system platforms and device types introduces several security gaps and risks which schools have been struggling to deal with."
High Street Banks Exposing Customers to Phishing Attacks
A consumer rights group is calling on all high street banks to improve their anti-phishing capabilities after spotting that a key protocol is sometimes not configured to offer maximum protection.
Domain-based message authentication, reporting and conformance (DMARC) is a tried-and-tested way to help brands block phishing emails to customers.
It helps to verify that the domain of the sender hasn’t been impersonated, although it must be set to “p=reject” in order to prevent suspicious emails from being sent to customer inboxes.
Consumer group Which? asked tech firm 6point6 to audit some of the biggest names on the high street to check their DMARC policies.
At the time of the study, it found that Bank of Ireland and Lloyds Bank-owned Agricultural Mortgage Corporation had not introduced DMARC at all, although both have since taken action.
It also found that Nationwide, TSB and Virgin Money had not set DMARC to p=reject, although the latter two claimed they were planning to do so.
The Co-operative Bank, First Direct, Starling and Tesco Bank had DMARC in place for their primary domains but not their alternative domains, which phishers could theoretically abuse.
Starling and Tesco Bank have now taken action to close this security loophole, Which? claimed.
“It has never been harder for people to know whether they’re receiving genuine communications from their bank, or being tricked — so it is crucial that banks take every measure to protect their customers from these devastating scams,” said Which? Money editor, Jenny Ross.
“These include implementing email scam protections properly and no longer putting phone numbers and links in messages, to ensure customers feel safe and can bank with confidence.”
On the plus side, most UK banks have signed up to a “do not originate” (DNO) number scheme designed to clamp down on number spoofing, which scammers often use in vishing (phone-based phishing) attacks, Which? said.
Last year, a Proofpoint report found that only 13 out of the 64 accredited financial institutions it studied had implemented the strongest DMARC policy.
JBS Admits Paying REvil Ransomware Group $11 Million
A meat processing giant recently hit by ransomware has confirmed it paid its extorters $11 million, reigniting the debate over the ethics of doing so.
A statement published by Sao Paolo-headquartered JBS, whose US and Australia businesses were hit in the incident last week, claimed that at the time of payment, the “vast majority” of its facilities were operational.
“In consultation with internal IT professionals and third-party cybersecurity experts, the company made the decision to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated,” it added.
Usually, the attackers have already exfiltrated sensitive data in such attacks, and payment is made to prevent them from publishing it.
However, there’s no guarantee that the attackers will not try to monetize the data anyway.
Last November, a Coveware report claimed that data exfiltration is now a tactic in over half of ransomware attacks.
It warned that groups such as REvil (Sodinokibi), which was blamed for the JBS attack, sometimes still publish data after payment, and, in some cases, demand a second payment.
It’s unclear whether JBS paid the ransom with the expectation its insurance provider would cover it. The issue is increasingly controversial, with AXA recently stating that it would stop reimbursing clients in France for ransom payments.
“This was a very difficult decision to make for our company and for me personally,” said Andre Nogueira, CEO of JBS USA. “However, we felt this decision had to be made to prevent any potential risk for our customers.”
The firm’s statement goes on to boast a $200 million annual IT budget and state that its ability to bounce back quickly from the attack was due to “its cybersecurity protocols, redundant systems and encrypted backup servers.”
Edgard Capdevielle, CEO of Nozomi Networks, argued that enterprises must now be prepared for the inevitable ransomware attack.
“That's why in addition to strengthening cybersecurity defenses, it’s equally important to invest in business resilience in the face of an attack,” he added.
“This post-breach mindset establishes a strong cybersecurity culture that asks the tough questions, anticipates worst-case scenarios and establishes a recovery and containment strategy aimed at maximizing your organization’s resiliency, long before an attack occurs.”
It’s generally advised that victims do not pay ransomware groups as it simply encourages more of the same malicious activity. However, when critical supply chains are involved, it’s not quite so simple.
“Naive statements like ‘never pay the ransom’ simply ignore the reality of the situation and do not have any chance in actually changing anything,” argued John Bambenek, Threat Intelligence Advisor at Netenrich.
“President Biden’s meeting with Vladimir Putin next week is critical in attempting to change the trajectory of this threat to bring the rogue state responsible for harboring this threat to heel.”
Probe into Leak of Cuomo Accuser’s Personnel File
An investigation has been launched to determine whether New York governor Andrew Cuomo broke the law by allegedly leaking the personnel file of the first of eleven women to accuse him of sexual harassment.
Cuomo's former aide Lindsey Boylan first accused him of sexual harassment in December on Twitter. In February, Boylan shared details of the alleged harassment, claiming that Cuomo had compared her to one of his former girlfriends, asked her to play strip poker with him, and made unwanted sexual advances toward her, including forcibly kissing her on the lips.
Hours after Boylan’s first accusations were made, her personnel records, which included disciplinary recommendations and bullying allegations, were released to media organizations. Boylan, who worked for Cuomo's team from March 2015 to October 2018, claims the leak was part of a smear campaign orchestrated by Cuomo and his aides to damage her reputation.
It is alleged that Cuomo personally met with advisors to discuss what action to take after Boylan's accusations came to light.
New York state whistleblowing laws make it illegal to take retaliatory action against alleged victims of sexual harassment. According to a new report by the Washington Post, investigators for New York State Attorney General Letitia James are probing whether Cuomo and his aides committed a crime by allegedly releasing Boylan's records.
In February 2021, Charlotte Bennett, an executive assistant and health policy advisor to Cuomo, accused him of sexual harassment. In the weeks that followed, allegations of inappropriate sexual comments and conduct by the governor were made by former Obama administration member Anna Ruch, policy and operations aide Ana Liss, former press aide Karen Hinton, reporter Jessica Bakeman, Bloomberg reporter Valerie Bauman, aide Alyssa McGrath, attorney Sherry Vill, an anonymous member of the governor's Executive Chamber staff, and an unnamed aide.
Some of the alleged victims accuse Cuomo's chief aide Melissa DeRosa of making "intimidating" phone calls after Boylan's allegations first came to light. DeRosa is further accused of being involved in the drafting of a letter sent to staffers to sign to try to discredit Boylan.
Cuomo has repeatedly denied the allegations made against him by nearly a dozen professionals. The governor claims he has "never touched anyone inappropriately" and "never made any inappropriate advances."
Nebraska Medicine Data Breach Settlement Approved
A preliminary settlement has been reached in a lawsuit brought against Nebraska Medicine over a 2020 data security incident.
Omaha-based Nebraska Medicine suffered a cyber-attack in September 2020. The attack disrupted the healthcare provider's information technology system, leading to the postponement of patient appointments.
Staff in the system’s hospitals and clinics had to chart by hand, and access to Nebraska Medicine's patient portal and to patients' electronic health records was impacted.
An investigation into the incident revealed that an unauthorized party used malware to gain access to Nebraska Medicine and University of Nebraska Medical Center’s shared computer network between August 27 and September 20.
In February, Nebraska Medicine and UNMC began notifying patients and employees whose personal information may have been compromised in the attack.
Nebraska Medicine reported the hacking incident to the Department of Health and Human Services in February 2020 as a HIPAA breach affecting nearly 216,500 individuals in Nebraska and in other states.
Data exposed in the incident included names, addresses, health insurance details, clinical information, Social Security numbers, and driver's license numbers.
A limited number of patients seen at Faith Regional Health Services in Norfolk, Great Plains Health in North Platte, and Mary Lanning Healthcare in Hastings, and whose information was in the Nebraska Medicine/UNMC network, were also impacted by the data breach.
A class-action lawsuit was filed against Nebraska Medicine in February, citing the exfiltration of sensitive personal data and medical records of tens of thousands of individuals.
A judge for the US District Court of Nebraska has approved a proposed suit settlement that would make all class members who submit a valid claim by a currently unspecified deadline eligible for a reimbursement of up to $300 cash for time and money spent on dealing with the breach.
Claimants who can show documented proof of "extraordinary monetary losses" that were "more than likely" incurred because of the data breach can claim up to $3,000 for an extra year of credit monitoring.
The preliminary settlement provides benefits to only around 126,000 individuals who were notified of the data breach through the mail, including nearly 13,500 who were informed that their Social Security number and/or driver’s license number may have been compromised in the incident.
Pennsylvanian Charged over Trump Impersonation Fraud
A food delivery driver from Pennsylvania has been charged with impersonating former president Donald Trump to defraud social media users.
Joshua Hall, of Mechanicsburg, was arrested on Tuesday morning and charged with wire fraud and aggravated identity theft.
Prosecutors allege that the 22-year-old defrauded hundreds of people from across the United States in a year-long fundraising scam that he devised and executed alone.
Hall is accused of posing as a former president and as members of that president's family to create social media accounts that attracted more than 100,000 followers.
Victims of the scam were led to believe that they were donating money to a genuine political organization. Prosecutors say that the organization was fictitious and that Hall pocketed thousands of dollars in donated funds for his own use.
Hall is accused of using photographs of the former president's family members, including his minor child, to make the fake social media accounts associated with the scam appear authentic.
FBI assistant director-in-charge William F. Sweeney, Jr., said: “Hall led hundreds of people to believe they were donating to an organization that didn’t exist by pretending to be someone he wasn’t, as alleged. As we continue to investigate fraud in all its many forms, we urge the public to remain aware of the prevalence of online scams and exercise due diligence when making donations online.”
The time at which the alleged offense was committed was not specified in a statement published on Tuesday by the US Attorney’s Office for the Southern District of New York, nor were Trump or his family referred to by name.
However, NBC New York cited an FBI source who said that the Trump family had been exploited in the scam.
In December 2020, Twitter shut down an account allegedly used by Hall to run the scam after the New York Times exposed the account as fake.
“There was no nefarious intention behind it,” Hall told the Times after the account was closed. “I was just trying to rally up MAGA supporters and have fun.”
If convicted of both charges, Hall could be sentenced to a prison term of up to 22 years.
Single Fastly Customer Sparked Global Internet Meltdown
Yesterday’s wide-scale internet outage was triggered when a single Fastly customer changed their settings, it has emerged.
The problem took place on Tuesday June 8, when Fastly, a cloud computing services company, experienced a bug on its content delivery network (CDN). This led to several major websites, including Amazon, Reddit, The Guardian and New York Times being forced offline for 30-40 minutes from around 11am. Additionally, specific sections of other services were affected by the failure.
The problem was resolved relatively quickly, with Fastly revealing in a tweet that it had disabled a “service configuration that triggered disruptions across our POPs globally.”
In a post on its website earlier today, Nick Rockwell, senior vice president of engineering and infrastructure at Fastly, revealed that the problem occurred when one of its customers changed their settings. This exposed a bug in a software update that was issued by the company on May 12 “that could be triggered by a specific customer configuration under specific circumstances.”
It has since created a permanent fix for the bug, which was deployed at 17.25 UTC on June 8.
Rodwell acknowledged that Fastly should have anticipated the outage and said the company is currently “conducting a complete post mortem of the processes and practices we followed during this incident.”
Apologizing for the impact caused, he added: “This outage was broad and severe, and we’re truly sorry for the impact to our customers and everyone who relies on them.”
The update has raised concerns about the resilience of the internet and in particular, the reliance on a handful of companies to run its vast infrastructure. Tim Mackey, principal security strategist at the Synopsys CyRC, commented: "All software has bugs, and it’s not always realistic to test all deployment configurations prior to deploying a new software version. Due to the scalability present in most cloud solutions, businesses have grown accustomed to the resiliency of cloud platforms. So when a bug meets up with an untested deployment configuration in a cloud solution, you can end up with precisely the scenario that Fastly customers found themselves with – a major outage."
However, Mackey did praise the cloud service provider’s response to the incident so far. “To their credit, the Fastly team quickly identified the issue and created a patch, but not before a number of high-profile web properties were impacted,” he outlined. “The Fastly team indicate that they will be performing a review of their release practices to determine how the bug was able to escape remediation prior to the outage. Such reviews are common within teams following the blameless review cyber-incident process used by DevOps teams. Should that review identify a weakness in development practices commonly found within DevOps teams, I would hope the Fastly team take this opportunity to highlight how other large scale organizations might improve their operations by learning from the Fastly experience.”
#Infosec21: NCSC Outlines Biggest Cyber Threats During COVID19
The main cyber-threat trends during COVID-19 and how they will affect the UK going forward were discussed by Eleanor Fairford, head of incident management at the National Cyber Security Centre (NCSC), during the keynote session on day two of the Infosecurity Europe virtual conference.
Fairford began by describing the new opportunities that the COVID-19 pandemic has presented to cyber-criminals and nation-state actors. Cyber-criminals have been able to “make the most of people’s vulnerabilities during this period and the increased threat surface that was presented by everyone working from home.” And for hostile nation-states, the pandemic provided more chances to steal highly sensitive information from other governments to gain an advantage over them, such as vaccine development.
She outlined the three areas NCSC regard as the biggest cyber-attack trends of 2020: cyber and fraud during COVID-19, the SolarWinds supply chain attacks and the proliferating ransomware threat.
Cyber and Fraud During COVID-19In terms of cyber and fraud, Fairford revealed that during 2020, the NCSC observed more online scams “than in the previous three years combined.” Unsurprisingly, many were related to the COVID-19 pandemic - prominent examples include fake celebrity endorsement scams, vaccine adverts and fake online shops purporting to sell medical equipment or even COVID-19 ‘cures’. She added: “These are the sorts of techniques that really preyed on people’s vulnerability.” This is because of the enormous toll the pandemic has had on areas like health and the economy, making people far more anxious than they would typically be, and therefore more liable to be tricked.
Fairford also highlighted new measures the NCSC has taken to mitigate these scams and protect individuals and businesses. These include updating its active cyber-defense tools and measures, “which are being rolled out as widely as possible to provide a baseline level of protection.”
According to Fairford, the NCSC has emphasized protecting the NHS, the vaccine supply chain, and research institutions in this period. This includes monitoring for attempts to harvest NHS credentials in order to spoof this institution via phishing. In total, the NCSC observed 122 phishing campaigns in 2020 that used NHS branding, making them appear genuine. This compared to just 36 in 2019.
Fairford outlined another key initiative introduced by the NCSC last year to tackle the threat of online scams. This is the Suspicious Email Reporting Service, “which enables members of the public to send into the NCSC emails they had received which looked like phishing emails.” This has proven highly successful so far, with over six million reports received as of May 31 2021, leading to the removal of more than 45,000 scams and 90,000 URLs.
Encouragingly, Fairford said the NCSC took down nearly 30,000 COVID-19-themed attack groups last year alone.
SolarWinds AttackShe then moved onto the SolarWinds attacks that took place at the end of 2020, which she described as “the key cyber-espionage act of the last decade.” This incident, believed to have been perpetrated by Russian state-backed actors, was particularly “unique and noteworthy,” according to Fairford. This was primarily due to the method used by the threat actors to compromise SolarWinds and subsequently enable them to access the systems of up to 180,000 of its customers.
This was achieved by interfering with SolarWinds software updates, meaning that “as you routinely updated your SolarWinds package, you would install a tampered update, and that provided a backdoor into your network.” She, therefore, noted that all customers that follow guidance on patching and installing updates “were more likely to be a victim of this particular attack.”
Part of the novelty of this method was that services remained unaffected, allowing attackers to go through affected organizations’ systems unnoticed for a very long time. In its subsequent analysis of the incident, she added that the NCSC observed “high levels of operational security techniques” being employed by the attackers, including wiping all traces of their activity.
Fairford believes the attack may well have remained undetected had it not been for FireEye’s initial discovery in December 2020.
“It directly interrupts people’s access to workplaces, learning and key services"The Surge of Ransomware
Unlike SolarWinds, in which the perpetrators operated behind the scenes and caused no disruption to any services, ransomware attacks have been shown to have a huge impact on individuals and organizations, especially in the past year or so. Fairford commented: “It directly interrupts people’s access to workplaces, learning and key services so this really does create an impact on people’s lives.”
She outlined two major incidents on local authorities in the UK last year – Redcar & Cleveland and Hackney councils. Both led to severe consequences: in the Redcar case, online public services were unavailable to 135,000 local residents for over a week and total recovery costs exceeded £10m, while in the Hackney council case, sensitive personal data of staff and residents ended up being published on the dark web.
There has also been particularly heavy targeting of hospitals and other healthcare institutions since the start of COVID-19, including the recent attack on Ireland’s healthcare service. Fairford also cited a ransomware attack on a hospital in Germany last year, which potentially contributed to the death of a critically ill patient who had to be redirected to another hospital.
Finally, Fairford discussed the recent ransomware attack on the Colonial Pipeline company, which led to the US’ largest fuel pipeline being taken offline. This demonstrated the substantial threat that ransomware poses to countries’ critical national infrastructure. A ransom of $4.4m was paid to the attackers, but pleasingly, the majority of the money has reportedly been seized by the US Department of Justice.
Fairford also highlighted how ransomware groups are becoming increasingly professionalized in their approaches, with many even “behaving like a sophisticated business-type operation.” In one example she gave, a group even has its own list of FAQs, detailing how victims should behave in the event of an incident.
Fairford concluded by outlining how these trends are expected to impact the UK cyberspace over the coming year. Firstly, she believes “the health sector will continue to be a priority target for nation state operations, particularly as research continues into variants and vaccines,” while disinformation campaigns related to the pandemic are likely to still be heavily utilized by malicious actors. Additionally, it is predicted that ransomware will continue to proliferate, including the growth of the double extortion tactic.
Another area she believes will grow are supply chain attacks, with SolarWinds demonstrating just how effective these can be to compromise a large number of organizations globally. Finally, Fairford said she expects to see extensive targeting of “UK companies that are really at the forefront of things like emerging technologies.”
A Third of Execs Plan to Spy on Staff to Guard Trade Secrets
Most senior executives believe more money is needed to protect trade secrets from malicious third parties and insider threats, and many are prepared to spy on staff to do so, according to a new study from global law firm CMS.
The firm commissioned The Economist Intelligence Unit to interview over 300 senior corporate executives from various sectors in China, France, Germany, Singapore, the UK and the US.
Three-quarters (75%) agreed that greater investment was needed to guard trade secrets, with cybersecurity (49%) and employee leaks (48%) viewed as the most serious threats.
Most pointed to lost business and competitive advantage as the main risk of not doing so.
Security controls (53%) were seen as the most important step, followed by confidentiality agreements and policies (46%) and restricted access (42%). Less than a third (31%) thought that creating a culture that incentivizes trade secret protection would be effective.
When it came to mitigating the insider threat, around a third of respondents are planning various measures over the next two years, including changes to company culture, avoiding cloud storage, new offboarding measures and encouraging the reporting of leaks.
Controversially, a similar number (33%) said they were planning surveillance of employees’ digital activity. Those in China, Singapore and the US were most likely to snoop on staff, with European respondents more reluctant, due to GDPR safeguards.
Hannah Netherton, employment partner at CMS, argued that employee leaks are driving a need for new strategies to guard key assets.
“Companies must find the right balance between perfecting their cybersecurity protections and creating a healthy company culture that incentivizes trade secret protection and encourages speaking up through appropriate channels — even the most rigorous of protocols won’t prevent every employee leak or a disgruntled whistleblower,” she added.
“The pandemic has opened doors to a digital workspace, where it’s easier for employees to accidentally or purposefully access and expose confidential information. It is impossible to protect trade secrets if employees are not aware of the sensitivities around these assets, so putting the right values and measures in place has never been more important to an organization’s success.”
Microsoft Fixes Seven Zero-Days This Patch Tuesday
Microsoft announced patches for a half-century of CVEs this month, including seven zero-day vulnerabilities, six of which are being actively exploited in the wild.
The six vulnerabilities in question start with CVE-2021-31955, an information disclosure bug in Windows kernel, and remote code execution flaw CVE-2021-33742.
The rest are elevation of privilege bugs in Windows NTFS (CVE-2021-31956), the Microsoft Enhanced Cryptographic Provider (CVE-2021-31199 and CVE-2021-31201) and the Microsoft DWM Core Library (CVE-2021-33739).
In addition, CVE-2021-31968 is a denial of service vulnerability in Windows Remote Desktop Services, which has been publicly disclosed but not yet seen in attacks.
Chris Goettl, Ivanti senior director of product management and security, said that CVE-2021-31199 and CVE-2021-28550 are related to a previously exploited Adobe flaw, CVE-2021-28550, released in the Adobe Security Bulletin ID APSB21-29.
“Customers running affected versions of Microsoft Windows should install the June security updates to be fully protected from these three vulnerabilities,” he added. “This vulnerability affects Windows 7, Server 2008 and later Windows OS versions and is rated as ‘important’ with a CVSSv3 base score of 5.2, which could be missed in some organizations’ prioritization.”
In fact, many of the zero-days published on Tuesday don’t at first glance appear to be particularly risky for organizations due to their low CVSS scores.
“This brings a very important prioritization challenge to the forefront this month. Vendor severity ratings and scoring systems like CVSS may not reflect the real-world risk in many cases,” warned Goettl.
“Adopting a risk-based vulnerability management approach and using additional risk indicators and telemetry on real-world attack trends is vital to stay ahead of threats like modern ransomware.”
Elsewhere this month, Recorded Future senior solution architect, Allan Liska, urged sysadmins to focus on CVE-2021-31963, a critical remote code execution vulnerability in Microsoft SharePoint Server.
Although not previously disclosed or exploited in the wild, similar bugs have been used to deliver payloads, including ransomware in the past, he warned.
Police Access Encrypted Devices in Major Global Crime Bust
Global law enforcers are celebrating today after a three-year operation across 16 countries led to the arrest of 800 and the seizure of over 30 tons of narcotics.
Europol described operation Greenlight/Trojan Shield as “one of the largest and most sophisticated law enforcement operations to date.”
According to The Economist, it was made possible after the developer of an encrypted device service known as Anom turned informant back in 2018.
This allowed the FBI and the Australian Federal Police to effectively take over the distribution of Anom-equipped hardened devices to the criminal underworld. One narcotics kingpin, Hakan Ayik, is reported to have unwittingly recommended Anom to others.
Anom eventually grew to support 12,000 devices and over 300 criminal syndicates in more than 100 countries, Europol claimed.
Thanks to their access to messages, global police recently searched 700 homes, made over 800 arrests and seized more than eight tons of cocaine, 22 tons of cannabis and cannabis resin, two tons of synthetic drugs, six tons of synthetic drugs precursors, 250 firearms, 55 luxury vehicles and over $48 million in fiat and cryptocurrencies.
Further “spin-off” operations will be launched over the coming weeks using evidence gathered from the 27 million Anom messages intercepted by the police, Europol added.
The willingness of criminals to sign-up for the service stemmed from previous disruption efforts, which led to the dismantling of the EncroChat platform in July 2020 and the takedown of Sky ECC in March this year.
“Encrypted criminal communications platforms have traditionally been a tool to evade law enforcement and facilitate transnational organized crime. The FBI and our international partners continue to push the envelope and develop innovative ways to overcome these challenges and bring criminals to justice,” said the FBI’s Criminal Investigative Division assistant director Calvin Shivers.
“We are grateful to Europol for their commitment to fighting transnational organized crime and their partnership with the FBI.”