Wednesday, February 21, 2018

Any publicity seems to attract the hacker piranhas.
Note: as Catalin Cimpanu points out on Twitter, “Neither RedLock nor Tesla confirmed that “confidential data” was stolen. Tesla said the opposite in their statement. The reporter is going out on a limb on this one.”
Duncan Riley reports:
Elon Musk may be able to send a Tesla Inc. vehicle into space, but apparently his staff can’t secure data online so easily. A shocking report released this morning details the theft of data from the electric car company, blaming it on gross staff incompetency.
According to researchers at cloud security firm RedLock Ltd., hackers infiltrated Tesla’s Kubernotes console after the company failed to secure it with a password. Within one of the Kubernetes pods, a group of software containers deployed on the same host, sat the access credentials to Telsa’s Amazon Web Service Inc. account.
Read more on SiliconAngle.
[From the article:
Because it’s the fashion in 2018, the hackers then installed cryptomining software, including sophisticated evasion measures to hide the installation.

A “How To” article that allows us to consider “How To Avoid!”
Phishing schemes net hackers millions of dollars from Fortune 500
On Wednesday, researchers from IBM's X-Force Incident Response and Intelligence Services (IRIS) team said the Business Email Compromise (BEC) scheme is currently active and is successfully targeting Accounts Payable (AP) teams at Fortune 500 companies.
In a blog post, the researchers said that after discovering evidence of the threat in Fall 2017, their analysis of the campaign led them to Nigeria, where the threat actors appear to be operating.
The BEC uses social engineering attacks and phishing emails in order to obtain legitimate credentials for enterprise networks and email accounts.
In many cases, publicly available information is used to craft messages which appeared legitimate and entice phishing victims to visit malicious domains.
… This BEC is of special note as no malware was used and as legitimate employees were conducting transactions, traditional security products and protocols would not be able to detect any compromise.

From the White House! So you know it can’t be “fake news.”
CEA Report: The Cost of Malicious Cyber Activity to US Economy
[February 16, 2018] “the Council of Economic Advisers (CEA) released a report detailing the economic costs of malicious cyber activity on the U.S. economy. Please see below for the executive summary and read the full report here. This report examines the substantial economic costs that malicious cyber activity imposes on the U.S. economy. Cyber threats are ever-evolving and may come from sophisticated adversaries.
  • We estimate that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.
  • Cybersecurity experts like to say that in an act of war or retaliation, the first moves will be made in cyberspace. A cyber adversary can utilize numerous attack vectors simultaneously. The backdoors that were previously established may be used to concurrently attack the compromised firms for the purpose of simultaneous business destruction.

For our discussion of Law & Regulation.
The Laws and Ethics of Employee Monitoring
… Federal and most state privacy laws give discretion to employers as to how far they can go with their employee monitoring. In some cases, employers do not have to inform employees of the monitoring, but this depends on state and local laws. Some locations require employee consent to monitor.
"As a general rule, employees have little expectation of privacy while on company grounds or using company equipment, including company computers or vehicles," said Matt C. Pinsker, adjunct professor of homeland security and criminal justice at Virginia Commonwealth University.
Monitoring must be within reason. For example, video surveillance can be conducted in common areas and entrances; however, it should be obvious that surveillance in bathrooms or locker rooms is prohibited and can open a company up to legal repercussions.

No comments: