FYI - Data breaches expected to cost $5 trillion by 2024 - The annual cost of worldwide data breaches will surpass $5 trillion by 2024, with North American businesses absorbing the highest share, according to a newly published Juniper Research report. https://www.scmagazine.com/home/research/annual-global-data-breach-costs-to-exceed-5-trillion-by-2024-report/

Bug bounty hunters cash in - HackerOne reported that six people have each earned more than $1 million through the bug bounty program. https://www.scmagazine.com/home/security-news/vulnerabilities/bug-bounty-hunters-cash-in/

Despite concerns over breaches, 40% of cardholders have provided Social Security numbers online - Two years after the Equifax breach, four in 10 consumers holding credit or debit cards have included their full Social Security numbers on an online form, a new report has found. https://www.scmagazine.com/home/security-news/despite-concerns-over-breaches-40-of-cardholders-have-provided-social-security-numbers-online/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Dentist offices nationwide hit with REvil ransomware attacks - Dental practices across the country found themselves locked out of their patient files after a hacker group infected a pair of software providers with REvil, or Sodinokibi, ransomware. https://www.scmagazine.com/home/security-news/dentist-offices-nationwide-hit-with-revil-ransomware-attacks/

Jack Dorsey's Twitter account hacked - Twitter CEO and co-founder Jack Dorsey's account was hacked Friday. https://www.cnet.com/news/jack-dorseys-twitter-account-hacked/

Dentist offices nationwide hit with REvil ransomware attacks - Dental practices across the country found themselves locked out of their patient files after a hacker group infected a pair of software providers with REvil, or Sodinokibi, ransomware. https://www.scmagazine.com/home/security-news/dentist-offices-nationwide-hit-with-revil-ransomware-attacks/

Rash of ransomware continues with 13 new victims—most of them schools - As investigations into a massive, coordinated ransomware attack against local governments in Texas continues, 13 new victims of ransomware attacks have been publicly identified. https://arstechnica.com/information-technology/2019/08/rash-of-ransomware-continues-with-13-new-victims-most-of-them-schools/

North Carolina Braces Against Wave of Ransomware Attacks - Attacks this year have ranged from cities to rural counties. A community college was hit as well as a sheriff's office and an emergency medical service, which led to patient records being compromised. https://www.govtech.com/security/North-Carolina-Braces-Against-Wave-of-Ransomware-Attacks.html

PDF Reader Biz Breached: Foxit Forces Password Reset - Customers of popular PDF firm Foxit Software are being asked to reset their passwords after a data breach at the firm led to unauthorized access. https://www.infosecurity-magazine.com/news/biz-breached-foxit-forces-password/

Aliznet exposed database leaks data on 2.5 million Yves Rocher customers - Personal information on customers of French retail consultancy Aliznet were exposed through an unprotected Elasticsearch server. https://www.scmagazine.com/home/security-news/aliznet-exposed-database-leaks-data-on-2-5-million-yves-rocher-customers/

419 million Facebook users info exposed, phone numbers and unique IDs - Unprotected databases are behind a leak that exposed information, including unique identifiers and phone numbers, on more than 419 million Facebook users – 133 million of those records belonging to users in the U.S. https://www.scmagazine.com/home/security-news/419-million-facebook-users-info-exposed/

Aliznet exposed database leaks data on 2.5 million Yves Rocher customers - Personal information on customers of French retail consultancy Aliznet were exposed through an unprotected Elasticsearch server. https://www.scmagazine.com/home/security-news/aliznet-exposed-database-leaks-data-on-2-5-million-yves-rocher-customers/

Half a million Teletext Holidays files unsecured - UK-based travel company Teletext Holidays left a trove of its customer data unsecured, exposing 530,000 files including some to 200,000 audio files of calls made by customers. https://www.scmagazine.com/home/security-news/data-breach/half-a-million-teletext-holidays-files-unsecured/

Flight booking site Option Way exposed personal info on customers - A data breach at flight booking site Option Way exposed personal details on passengers and their flight and travel plans. https://www.scmagazine.com/home/security-news/flight-booking-site-option-way-exposed-personal-info-on-customers/

Foxit forcing customer password resets after data breach - Foxit Software is forcing its customers to reset their passwords in response to an unauthorized party gaining access to user accounts. https://www.scmagazine.com/home/security-news/data-breach/foxit-forcing-customer-password-resets-after-data-breach/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
  
  Sound Practices to Help Maintain the Privacy of Customer E-Banking Information
  
  1. Banks should employ appropriate cryptographic techniques, specific protocols or other security controls to ensure the confidentiality of customer e-banking data.
  
  2. Banks should develop appropriate procedures and controls to periodically assess its customer security infrastructure and protocols for e-banking.
  
  3. Banks should ensure that its third-party service providers have confidentiality and privacy policies that are consistent with their own.
  
  4. Banks should take appropriate steps to inform e-banking customers about the confidentiality and privacy of their information. These steps may include:
  
  a)   Informing customers of the bank's privacy policy, possibly on the bank's website. Clear, concise language in such statements is essential to assure that the customer fully understands the privacy policy. Lengthy legal descriptions, while accurate, are likely to go unread by the majority of customers.
  
  b)   Instructing customers on the need to protect their passwords, personal identification numbers (PINs) and other banking and/or personal data. 
  
  c)   Providing customers with information regarding the general security of their personal computer, including the benefits of using virus protection software, physical access controls and personal firewalls for static Internet connections.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  ENCRYPTION TYPES
  
  Three types of encryption exist: the cryptographic hash, symmetric encryption, and asymmetric encryption.
  
  A cryptographic hash reduces a variable - length input to a fixed-length output. The fixed-length output is a unique cryptographic representation of the input. Hashes are used to verify file and message integrity. For instance, if hashes are obtained from key operating system binaries when the system is first installed, the hashes can be compared to subsequently obtained hashes to determine if any binaries were changed. Hashes are also used to protect passwords from disclosure. A hash, by definition, is a one - way encryption. An attacker who obtains the password cannot run the hash through an algorithm to decrypt the password. However, the attacker can perform a dictionary attack, feeding all possible password combinations through the algorithm and look for matching hashes, thereby deducing the password. To protect against that attack, "salt," or additional bits, are added to the password before encryption. The addition of the bits means the attacker must increase the dictionary to include all possible additional bits, thereby increasing the difficulty of the attack.
  
  Symmetric encryption is the use of the same key and algorithm by the creator and reader of a file or message. The creator uses the key and algorithm to encrypt, and the reader uses both to decrypt. Symmetric encryption relies on the secrecy of the key. If the key is captured by an attacker either when it is exchanged between the communicating parties, or while one of the parties uses or stores the key, the attacker can use the key and the algorithm to decrypt messages, or to masquerade as a message creator.
  
  Asymmetric encryption lessens the risk of key exposure by using two mathematically related keys, the private key and the public key. When one key is used to encrypt, only the other key can decrypt. Therefore, only one key (the private key) must be kept secret. The key that is exchanged (the public key) poses no risk if it becomes known. For instance, if individual A has a private key and publishes the public key, individual B can obtain the public key, encrypt a message to individual A, and send it. As long as individual A keeps his private key secure from discovery, only individual A will be able to decrypt the message.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.5.4 Vulnerabilities Related to Information Disclosure/Brokerage

HGA takes a conservative approach toward protecting information about its employees. Since information brokerage is more likely to be a threat to large collections of data, HGA risk assessment focused primarily, but not exclusively, on protecting the mainframe.

The risk assessment concluded that significant, avoidable information brokering vulnerabilities were present--particularly due to HGA's lack of compliance with its own policies and procedures. Time and attendance documents were typically not stored securely after hours, and few PCs containing time and attendance information were routinely locked. Worse yet, few were routinely powered down, and many were left logged into the LAN server overnight. These practices make it easy for an HGA employee wandering the halls after hours to browse or copy time and attendance information on another employee's desk, PC hard disk, or LAN server directories.

The risk assessment pointed out that information sent to or retrieved from the server is subject to eavesdropping by other PCs on the LAN. The LAN hardware transmits information by broadcasting it to all connection points on the LAN cable. Moreover, information sent to or retrieved from the server is transmitted in the clear--that is, without encryption. Given the widespread availability of LAN "sniffer" programs, LAN eavesdropping is trivial for a prospective information broker and, hence, is likely to occur.

Last, the assessment noted that HGA's employee master database is stored on the mainframe, where it might be a target for information brokering by employees of the agency that owns the mainframe. It might also be a target for information brokering, fraudulent modification, or other illicit acts by any outsider who penetrates the mainframe via another host on the WAN.