Friday, December 08, 2017

I might like this kind of law, assuming a company can create, maintain, and comply with a written cybersecurity program.” Who gets to say they are in compliance?
William Berglund, Robert J. Hanna and Victoria L. Vance of Tucker Ellis write:
Maintaining robust cybersecurity measures that meet government- and industry-recognized standards will provide businesses operating in Ohio with a legal defense to data breach lawsuits, if a bill recently introduced in the Ohio Senate becomes law.
Ohio Senate Bill No. 220 (S.B. 220), known as the Data Protection Act, was introduced to provide businesses with an incentive to achieve a “higher level of cybersecurity” by maintaining a cybersecurity program that substantially complies with one of eight industry-recommended frameworks. See S.B. 220, Section 1, proposed Ohio Rev. Code §§ 1354.01 to 1354.05.
Compliance Standards To Be Met
Businesses that are in substantial compliance with one of the eight frameworks outlined in S.B. 220 would be entitled to a “legal safe harbor” to be pled as an affirmative defense to tort claims related to a data breach stemming from alleged failures to adopt reasonable cybersecurity measures. S.B. 220, Section 1, proposed Ohio Rev. Code §§ 1354.02(A) and (C), 1354.03; S.B. 220, Section 2(A).
Read more on Tucker Ellis.

This is the kind of article I advise my Computer Security students to share with their employers.
Phishers Are Upping Their Game. So Should You.
Not long ago, phishing attacks were fairly easy for the average Internet user to spot: Full of grammatical and spelling errors, and linking to phony bank or email logins at unencrypted (http:// vs. https://) Web pages. Increasingly, however, phishers are upping their game, polishing their copy and hosting scam pages over https:// connections — complete with the green lock icon in the browser address bar to make the fake sites appear more legitimate.
According to stats released this week by anti-phishing firm Phishlabs, nearly 25 percent of all phishing sites in the third quarter of this year were hosted on HTTPS domains — almost double the percentage seen in the previous quarter.
Lay traps: When you’ve mastered the basics above, consider setting traps for phishers, scammers and unscrupulous marketers. Some email providers — most notably Gmail — make this especially easy.

Oof. I read something like this notification below from Boise Cascade Company in Utah, and I wonder if the employees had been regularly trained in avoiding phishing attacks, or if it was just the case that the phishing was done so damned well that the employees fell for it despite their training. In this case, the intrusion was part of a scheme to alter or redirect employees’ payroll direct deposit accounts.
The Company’s investigation determined that a phishing scheme got into its email system on or about October 31, 2017. Our information technology team caught the scheme within minutes of the first phishing email, blocked the email, and notified employees not to click on the link in it or similar emails. Unfortunately, approximately 300 employees clicked on the link anyway. The investigation further revealed that company-wide, 23 employees’ direct deposit instructions were changed.
I’d love to see what that phishing email looked like if 300 people fell for it.

One of the better Security Week articles.
The Cumulative Effect of Major Breaches: The Collective Risk of Yahoo & Equifax
Until quite recently, people believed that a dizzying one billion accounts were compromised in the 2013 Yahoo! breach… and then it was revealed that the real number is about three billion accounts.
That raises the question: so what? Isn’t all the damage from a four-year-old breach already done?
The answer: not at all. For those who have taken control of the compromised accounts, or who possess confidential information about a billion or more individuals, the Yahoo! breach is the gift that will keep on giving.
First of all, the consequences of the breach are not yet fully realized. Criminals have only recently started using compromised email accounts to spread ransomware and spam. As email service providers increasingly use the age of the sending account as an indicator of risk, the value to criminals of long-established but compromised accounts has started to increase. These accounts become a circumvention strategy for criminals wishing to reliably deliver malicious emails. As the value of an established account goes up, the damage that can be done by using the compromised accounts does, too.
Second, criminals have only recently started to mine the contents of compromised accounts to identify promising opportunities – but that is increasingly happening now, and is becoming another source of value to the Yahoo! attackers (and anybody who has already purchased compromised accounts from them.) To a large extent, we are still in the “manual effort” phase of this type of attack, wherein attackers have not yet understood exactly what they are looking for, and therefore, have not yet written scripts to automate the task. Once their understanding matures and they automate the process, the vast volumes of compromised accounts will turn into new criminal opportunities.
And the automated extraction of meaningful content will dramatically increase the yield of the attacks that the criminals will be able to mount. Think of it like this: if your account was compromised, and a good friend or colleague gets an email from you … or rather, your email account … with a malicious attachment, will they open it? If the email is obvious spam, they probably won’t, but if the message makes sense, they will; and if the attacker knows what you and your contact normally talk about, that isn’t difficult to do.
There is also a multiplier effect as the number of major breaches of consumer data rises.
In the recent Equifax breach, criminals made off with information for more than 145 million Americans, including names, mother’s maiden names, social security numbers, addresses, birthdays, and more. But not email addresses, and not banking affiliations and account numbers. A crafty attacker can easily match the names and birthdays of the Equifax breach to the names and birthdays of the Yahoo! breach, automatically generating very powerful combinations. With this combined intelligence, the attacker can contact banks, posing as banking customers, and gain access to accounts.

“Once we figured out how to get paid all other thoughts stopped!”
Thomas Fox-Brewster reports:
Despite the catastrophic 2015 hack that hit the dating site for adulterous folk, people still use Ashley Madison to hook up with others looking for some extramarital action. For those who’ve stuck around, or joined after the breach, decent cybersecurity is a must. Except, according to security researchers, the site has left photos of a very private nature belonging to a large portion of customers exposed.
The issues arose from the way in which Ashley Madison handled photos designed to be hidden from public view. Whilst users’ public pictures are viewable by anyone who’s signed up, private photos are secured by a “key.” But Ashley Madison automatically shares a user’s key with another person if the latter shares their key first. By doing that, even if a user declines to share their private key, and by extension their pics, it’s still possible to get them without authorization.
Read more on Forbes. And no, that wasn’t Forbes’ headline for the story.

No comments: