Home Black Hat Deep Tech Essays Fireside Chat My Take News Alerts Q&A RSAC Videocasts About Contact



VIDEO: How CIA cyberweapons are increasingly being used to hack banks, credit unions

By Byron V. Acohido

When WikiLeaks released details about the CIA’s arsenal of hacking tools last month, it was like Christmas arrived early for hackers who specialize in cracking into the business networks of financial services companies.

Mandiant, the forensics division of malware detection vendor FireEye, affirmed as much in its M-Trends 2017 report, issued shortly thereafter. The Mandiant report disclosed how cyber criminals have quickly embraced CIA-type tools to juice up their banking system attacks.

I spoke to Bob Thibodeaux, chief information security officer, at Seattle-based DefenseStorm, about this. DefenseStorm provides a security service for community banks and credit unions that monitors network traffic—specifically event log data—for malicious activities.

“What we are seeing with the leak of the CIA’s attack tools are that cyber criminal elements are actually taking advantage of the knowledge of those tools for their attacks,” Thibodeaux told me. “We are seeing them actually using the kinds of tactics that the government actors are using to exploit financial firms, specifically.”

These cutting-edge attacks are showing up in banking systems in southeast Asia, according to Mandiant. But it may be only a matter of time before use of similar tactics, leveraging the CIA leak, spread to banks in other regions. “The attackers are using tools that Windows system administrators would use to actually stay on the network, monitor traffic, figure out how the banking process works, and then steal tens to hundreds to millions of dollars,” Thibodeaux says.

Community banks and credit unions in the United States are likely to be targeted because they are less well-defended than the big multinational banks.

It is all too typical for a small bank or credit union to rely on basic network defense systems, even though malicious probes and communications with criminal command-and-control servers are nonstop.

Unfortunately, it’s not going to get any easier for smaller banks and credit unions to play catch-up, much less neutralize cyber attacks over … more

VIDEO: The implications of privacy rules stiffening in Canada, Europe

By Byron V. Acohido

As a partner at the Canadian law firm Borden Ladner Gervais, Éloïse Gratton advises her clients on legal, practical and ethical ways to protect an individual’s privacy while conducting business nationally and internationally. She has testified before Canada’s House of Commons and other federal bodies and conducted training workshops attended by judges and members of the Parliament.

LastWatchdog sat down with Gratton just after she appeared on a privacy panel at CyberScout’s Privacy XChange Forum. Here’s the gist of that conversation. The text has been edited for clarity and length.

LastWatchdog: Europe and Canada are oriented toward preserving privacy for the individual; in America, not so much. Can you frame how that plays out in global commerce?

Gratton: I would say in Europe and in Canada, we’ve been a little bit ahead on the data-protection front, so we probably have laws that are a little bit more stringent. Yet we’re a little behind on everything that has to do with security-breach notification. In the States, it has been mandatory for quite some time. In Europe, it will be mandatory with the upcoming General Data Protection Regulation in May 2018.

In Canada, there’s one province where, if the breach triggers significant harm for the affected individuals, it’s mandatory to notify. So in Alberta, that has been a legal requirement since 2009. In coming months, this will also become a federal legal requirement to notify upon a security breach taking place. So we’re following the U.S. on this issue.

LastWatchdog: Cyber threats continue to evolve so rapidly; can regulators keep up?

Gratton: Yes, the threat is evolving, so at the end of the day, organizations need to ensure that they are ready for the new threats. We’ve seen it recently in Canada with the Ashley Madison hack. So you have to have a breach-incidence response plan and make sure employees are trained, so that they’ll know exactly what to do. Upon … more

VIDEO: Why cyber insurance is needed to protect intangible assets, i.e. business data

By Byron V. Acohido

More organizations than ever, especially small and medium-size ones, will seek to account for the fast-rising risk of suffering a cyber attack in 2017 by buying a cyber liability policy.

The general state of security of U.S. business networks remains anemic when compared to the vast and growing capabilities of hackers with malicious intent. Companies are beginning to realize the value of offsetting this risk to an insurance carrier—and insurance companies and underwriters recognize a golden goose when they see one.

The fledgling cyber insurance market topped $3 billion in 2015, and ABI estimates the global cyber insurance market is swelling at a clip that will top $10 billion by 2020.

Related: Cyber insurance increasingly includes value-added security services

ThirdCertainty sat down with Tim Francis, cyber insurance enterprise lead at Travelers Bond & Financial Products, and Graeme Newman, chief innovation officer at CFC Underwriting, shortly after the pair spoke on this topic at IDT911’s Privacy XChange Forum 2016 this fall. Here’s their forecast. (IDT911 sponsors ThirdCertainty. This text has been edited for clarity and length.)

3C: Could you frame the emerging cyber insurance market for us?

Newman: The cyber insurance market has been around for 15 or 16 years now, which in insurance terms, is a short period of time, but it’s growing fast. It’s very much U.S. dominated, and it also falls into some specific industry verticals. You get a lot of buyers in the financial services, within retail and within health care. But that’s starting to change.

Francis: Part of what’s driving this shift into different industries, and also smaller-size companies, is the recognition that cyber is not just a product for companies with large amounts of data. A lot of coverages go beyond that to things like business disruption, which could affect any company virtually. For instance, ransomware has nothing to do with the excavation of data.

3C: What are some of the obstacles?

Newman: The … more

VIDEO: NY holds companies accountable for cybersecurity

By Byron V. Acohido

Banks and other financial services companies wishing to do business in the state of New York will soon have to prove they are using first-class cybersecurity policies and practices.

Officials at the New York State Department of Financial Services (NYDFS) were so concerned that a catastrophic network hack in the financial sector could have dire consequences that they took it upon themselves to draft a far-reaching set of mandatory cybersecurity requirements.

Two years in the making, it is called the Cybersecurity Requirements for Financial Services Companies. And it is set to take effect Jan. 1.

Heading off hacks

A comment period on the draft proposal closed Nov. 14. Officials now are reviewing the comments, and modifications could yet be made. However, if the rules as drafted stay mostly intact, as expected, we could witness a paradigm shift driven by hefty new regulations.

New York’s effort to compel financial services companies to do much better at cybersecurity goes miles further than California’s pioneering data loss disclosure law. In 2003, California lawmakers required companies that lose personal information to inform the individuals whose data has gone missing. And with the U.S. Congress in perpetual gridlock, 46 other states followed suit and passed similar data loss notifications laws.

It’s going to be fascinating to see if the cycle repeats itself. “There have been some articles from the insurance sector welcoming regulation,” says Richard Borden, a cybersecurity attorney at Robinson & Cole. “Others see this as overbearing, especially for smaller entities. It’s going to require a large compliance regime, and smaller companies are going to have a lot of trouble with that, from an operational and a technical standpoint.”

Long and detailed checklist

Under New York’s new rules, an institution must establish a program capable of ensuring the confidentiality and integrity of its information systems. The scope of the new rules is broad, and the specific requirements are very detailed. Minimum requirements call for … more

VIDEO: Good guy hacker Chris Vickery hunts exposed data

By Byron V. Acohido

Two more stunning disclosures from self-styled internet watchdog Chris Vickery underscore how organizations continue to routinely expose sensitive data in the cloud, risking dire consequences.

“My findings clearly demonstrate that data breaches happen more often than the general public realizes, and companies are quick to deny and cover up these issues,” Vickery says.

Last Friday, Vickery revealed how Habitat for Humanity of Michigan had been making use of two backup virtual hard drives without taking steps to block public access to those drives, which contained “lots of background/credit checks for volunteers and applicants, as well as thousands of Social Security numbers,” he says. The nonprofit organization helps build and renovate affordable housing for needy families.

Leaked files show grim reality

In mid-October, Vickery broke news at IDT911’s Privacy Xchange Forum 2016, describing how a California law firm similarly neglected to restrict access to an internet cloud storage location where it kept copies of case files. (IDT911 sponsors ThirdCertainty.) The legal documents Vickery located included notes and surveillance footage appearing to show guards at a police holding cell in La Habra, California, failing to take any action as a 49-year-old prisoner, Daniel Oppenheimer, hanged himself.

The notes of the lawyer—whose firm specialized in defending alleged police misconduct—revealed that he looked at the surveillance video and saw “shadows” of a person twice walking past Oppenheimer’s cell during the strangulation, Vickery says. The shadows weren’t noted, though, in the district attorney’s report investigating any wrongdoing by police in Oppenheimer’s death, and Vickery questions whether the person walking past the cell could have stopped the suicide.

Oppenheimer strangled himself with a telephone cord and the zipper of his jail-issued jumpsuit on Jan. 2, 2015. Earlier that day, Oppenheimer was arrested and charged with attempting to strangle his wife at their La Habra home.

Vickery says he contacted the city lawyer’s firm and an attorney representing Oppenheimer’s daughter who filed a wrongful-death lawsuit against the … more

Q&A: How hackers manipulate domain names to spread malware

By Byron V. Acohido

When Seattleite Jay Westerdal bootstrapped a company called DomainTools in 2002, it was to support his activities in the domain name speculation game that was red hot at the time.

DomainTools set out to gather domain “whois” records in order to serve those immersed in speculating on owning domain names, like chocolate.com. Unbeknown to the founders at the time, the company did a couple of things that would position DomainTools to reinvent itself down the road as a security vendor, once the domain name market ran its course.

First, the company kept historical records of everything. And, second, DomainTools started gathering, not just “whois” records, but also web server and email server records, all of which would prove to be valuable for tracking the activities of cyber criminals.

ThirdCertainty recently visited with Tim Helming, DomainTools’ director of product management, to outline how the company today sheds light on the cyber underground. Text edited for clarity and length.

3C: How do domain names come into play with malicious internet activities?

Tim Helming, DomainTools’ director of product management

Helming: Everything that happens on the internet happens with IP addresses and domain names. You’ve probably received phishing emails once or twice, right? We all have. So a phishing email has domains in a couple of places. Usually there’s a link that they want you to click on, and that link has some domain in it. Sometimes it’ll be an intentional typo that looks like a legitimate site. They want you to click on it. So that domain name actually is a key to a lot of valuable information about the attacker.

Related: DNS vulnerabilities expose businesses to attack

From that one domain, you can often expand and see other domains that they own. And that could tell you things like, ‘Oh these other domains are all targeting businesses in my industry. So this attacker’s interested in my industry.’ Or maybe they’ve got a … more

VIDEO: Vasco Digipass technology changes user’s password every 30 seconds to thwart hackers

By Byron V. Acohido

KBC Bank Ireland announced last month that it has upgraded security for mobile customers by integrating the Vasco Digipass for apps into its mobile security application.

The Irish bank’s decision is part of a growing trend by financial institutions to implement advanced security solutions for an increasing number of customers who bank with a mobile device.

“Mobile banking is growing faster than the use of online banking did, and smartphones will soon be within the reach of almost all banking customers,” says Vasco Data Security International Vice President John Gunn. “In the next few years, mobile payments will be preloaded on every new phone and integrated into every mobile banking application.”

With the addition of Digipass, KBC Bank customers can use an iPhone’s Touch ID functionality—a fingerprint identity sensor—instead of a PIN code. Digipass automatically changes a mobile user’s password every 30 seconds, and the bank’s server tracks whether each is valid.

Vasco’s technology provides a graphical cryptogram that contains the details of the transaction, e.g. payee, amount, account number. When a picture of the color QR code is taken and then decoded, customers can securely view and verify financial details on a computer, smartphone or tablet and then authorize the transaction. Because it is encrypted, hackers cannot change the details so they cannot conduct man in the middle attacks.

More: Apple gets into mobile payments with iPhone6

“This eliminated the opportunity for hackers to use stolen passwords and makes phishing attacks obsolete,” Gunn says. “With a six-digit PIN or a one-time-password, a hacker would have a one-in-a-million chance of guessing the correct password. Brute force attacks don’t work because a hacker cannot present a million attempts in 30 seconds, and the password changes again within that time.”

Two-factor authentication offers stronger shield

Simon Keates, a mobile payment security expert for Thales e-Security, says Vasco’s Digipass, or two-factor authentication, is “a proven method for enhancing typical authentication methods and significantly … more