MISCELLANEOUS CYBERSECURITY NEWS:

NIST Releases Draft Post-Quantum Encryption Document - The latest step in post-quantum cryptography guidance is helping organizations identify where current public-key algorithms will need to be replaced, as the National Institute of Standards and Technology continues its push to fortify U.S. digital networks ahead of the maturity of quantum computing. https://www.nextgov.com/technology-news/2023/04/nist-releases-draft-post-quantum-encryption-document/385580/

Apache Superset: A story of insecure default keys, thousands of vulnerable systems, few paying attention - Apache Superset until earlier this year shipped with an insecure default configuration that miscreants could exploit to login and take over the data visualization application, steal data, and execute malicious code. https://www.theregister.com/2023/04/25/apache_superset_cve/

Chinese Cyberspies Delivered Malware via Legitimate Software Updates - A Chinese APT actor tracked as Evasive Panda has been observed targeting in-country members of an international non-governmental organization (NGO) with the MgBot backdoor, and the malware was likely delivered through the legitimate update channels of popular Chinese software, cybersecurity firm ESET reports. https://www.securityweek.com/chinese-cyberspies-delivered-malware-via-legitimate-software-updates/

Ransom demands, recovery times, payments and breach lawsuits all on the rise - Healthcare data breach lawsuits were filed last week against 90 Degree Benefits, CommonSpirit, and OneBrooklyn Health. https://www.scmagazine.com/news/ransomware/ransom-demands-recovery-times-payments-and-breach-lawsuits-rise

CISA Asks for Public Opinion on Secure Software Attestation - For a 60-day period, the public can provide feedback on the draft self-attestation form for secure software development, which requires the providers of software for the government to confirm that specific security practices have been implemented. https://www.securityweek.com/cisa-asks-for-public-opinion-on-secure-software-attestation/

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Salesforce Community Cloud data leaks shine light on misconfigurations - Reported misconfigurations in the Salesforce Community Cloud once again shows how the industry needs to do a better job explaining the shared responsibility model for cloud apps. https://www.scmagazine.com/news/cloud-security/salesforce-community-cloud-data-leaks-misconfigurations

German health IT vendor Bitmarck goes offline amid cyberattack - A cyberattack against Bitmarck forced the IT services vendor to take internal and customer systems offline as part of its security protocols as it works to identify and address the impact. Bitmarck is a major IT vendor for a number of German health insurers. https://www.scmagazine.com/news/incident-response/german-health-it-vendor-bitmarck-offline-cyberattack

T-Mobile discloses second data breach since the start of 2023 - T-Mobile disclosed the second data breach of 2023 after discovering that attackers had access to the personal information of hundreds of customers for more than a month, starting late February 2023. https://www.bleepingcomputer.com/news/security/t-mobile-discloses-second-data-breach-since-the-start-of-2023/

T-Mobile promises better security after year’s second breach - T-Mobile apologized to customers affected by its second data breach this year and says it is continuing to work on enhancements to its information security systems. https://www.scmagazine.com/news/breach/t-mobile-security-breach

Ransomware strikes POS platform used by NCR’s customers in hospitality industry - NCR disclosed on Saturday that it was hit with a ransomware attack on its Aloha point-of-sale (POS) platform targeted towards the company’s hospitality and restaurant customers. https://www.scmagazine.com/news/ransomware/ransomware-strikes-pos-platform-ncr

Latest Reported Data Breaches Impact Variety of Healthcare Orgs - The latest data breaches reported to HHS and state attorneys general offices impacted a variety of healthcare organizations across the country. https://healthitsecurity.com/news/latest-reported-data-breaches-impact-variety-of-healthcare-orgs

US Marshals Service still recovering from ransomware attack - An agency spokesperson shared Monday that it will soon bring a new version of the system online with better security after, back in February, hackers hit a computer network used by the secretive marshals service unit known as the Technical Operations Group. https://www.hawaiinewsnow.com/2023/05/02/us-marshals-service-still-recovering-ransomware-attack/

IT giant Bitmarck shuts down customer, internal systems after cyberattack - German IT services provider Bitmarck has shut down all of its customer and internal systems, including entire datacenters in some cases, following a cyberattack. https://www.theregister.com/2023/05/01/bitmarck_data_breach/

Major UK banks including Lloyds, Halifax, TSB hit by outages - Websites and mobile apps of Lloyds Bank, Halifax, TSB Bank, and Bank of Scotland have experienced web and mobile app outages today leaving customers unable to access their account balances and information. https://www.bleepingcomputer.com/news/technology/major-uk-banks-including-lloyds-halifax-tsb-hit-by-outages/

Cold storage giant Americold outage caused by network breach - Americold, a leading cold storage and logistics company, has been facing IT issues since its network was breached on Tuesday night. https://www.bleepingcomputer.com/news/security/cold-storage-giant-americold-outage-caused-by-network-breach/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Record Retention
   
   Record retention provisions apply to electronic delivery of disclosures to the same extent required for non-electronic delivery of information. For example, if the web site contains an advertisement, the same record retention provisions that apply to paper-based or other types of advertisements apply. Copies of such advertisements should be retained for the time period set out in the relevant regulation. Retention of electronic copies is acceptable.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
  
  Non-repudiation 
  
  Non-repudiation involves creating proof of the origin or delivery of data to protect the sender against false denial by the recipient that the data has been received or to protect the recipient against false denial by the sender that the data has been sent. To ensure that a transaction is enforceable, steps must be taken to prohibit parties from disputing the validity of, or refusing to acknowledge, legitimate communications or transactions. 
  
  Access Control / System Design 
  
  Establishing a link between a bank's internal network and the Internet can create a number of additional access points into the internal operating system. Furthermore, because the Internet is global, unauthorized access attempts might be initiated from anywhere in the world. These factors present a heightened risk to systems and data, necessitating strong security measures to control access. Because the security of any network is only as strong as its weakest link, the functionality of all related systems must be protected from attack and unauthorized access. Specific risks include the destruction, altering, or theft of data or funds; compromised data confidentiality; denial of service (system failures); a damaged public image; and resulting legal implications. Perpetrators may include hackers, unscrupulous vendors, former or disgruntled employees, or even agents of espionage.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 4.2 Fraud and Theft
 
 Computer systems can be exploited for both fraud and theft both by "automating" traditional methods of fraud and by using new methods. For example, individuals may use a computer to skim small amounts of money from a large number of financial accounts, assuming that small discrepancies may not be investigated. Financial systems are not the only ones at risk. Systems that control access to any resource are targets (e.g., time and attendance systems, inventory systems, school grading systems, and long-distance telephone systems).
 
 Computer fraud and theft can be committed by insiders or outsiders. Insiders (i.e., authorized users of a system) are responsible for the majority of fraud. A 1993 InformationWeek/Ernst and Young study found that 90 percent of Chief Information Officers viewed employees "who do not need to know" information as threats. The U.S. Department of Justice's Computer Crime Unit contends that "insiders constitute the greatest threat to computer systems." Since insiders have both access to and familiarity with the victim computer system (including what resources it controls and its flaws), authorized system users are in a better position to commit crimes. Insiders can be both general users (such as clerks) or technical staff members. An organization's former employees, with their knowledge of an organization's operations, may also pose a threat, particularly if their access is not terminated promptly.
 
 In addition to the use of technology to commit fraud and theft, computer hardware and software may be vulnerable to theft. For example, one study conducted by Safeware Insurance found that $882 million worth of personal computers was lost due to theft in 1992.