Wednesday, January 15, 2020


Imagine the same level of success hacking a major airline. Would insurance cover the loss of business? The problem with less-than-full disclosure is that we don’t know what to prepare for.
Impact of Cyber Attacks on RavnAir More Damaging Than First Thought; Flights May Be Grounded for a Month
It had been thought that the company recovered fairly quickly from the malicious cyber attack, but a statement released just before the new year kicked off indicates that the company may have more delayed and canceled flights into February.
… During the weekend prior to Christmas, an unspecified cyber attack targeted the company’s Dash 8 passenger flights and caused about six of them to be grounded over the busy weekend as a security precaution.
… The FBI and an unspecified third-party cyber security company have been called in to investigate the impact of the cyber attacks on Ravn as the company is working on restoring everything.
As with the recent attack on Travelex, the company has opted to keep details about the attack very scanty. But, as with Travelex, ransomware seems to be a fairly safe assumption given the patterns of disruption to service and the long expected recovery period.




Some numbers. Interesting because of the companies based there.
Washington State Attorney General’s Office 2019 Data Breach Report
For those who may not know, Washington State produces its own data breach report annually. Here’s a snippet from their report:
In 2019, the total number of breaches reported to our office increased by nearly 20%, with just over 70% resulting from a malicious cyberattack.
Yep, the percentage increase in number of incidents/reports sounds about right.
The lifecycle of breaches increased dramatically, rising from an overall average of 139 days in 2018 to 277 days in 2019. This was largely driven by a huge in spike in the amount of time it took organizations to discover that a breach had occurred.
Interesting, because ransomware attacks are recognized quickly, but may take longer to resolve. Similarly, it may take entities months to find out who had PII in an employee’s email account that had been compromised.
So there’s lots to think about and talk about. You can access the state’s 2019 report here. What I found stunning was the number of breaches reported to the state for a one-year period. But then, the number of reports is at least partly a function of how state law defines a reportable breach.




Clearly, the Fed is a major target.
A cyberattack on a major US financial institution would affect more than a third of bank assets, New York Fed warns
A sophisticated cyberattack on the US could ripple through major banks and severely disrupt the broader financial system, according to new research from the New York Federal Reserve.
A cyberattack on the data or systems of any one of the five most active banks could spill over to others and affect more than a third of assets in the overall network, analysts Thomas Eisenbach, Anna Kovner, and Michael Junho Lee said in the staff report this week.
"The reconciliation and recuperation process would be an unprecedented task," the paper said. "This could have severe implications on the stability of the broader financial system vis-À-vis spillovers to investors, creditors, and other financial market participants."




Social engineering based on known vulnerabilities.
Don't fall for this Google Nest sextortion scam
Scammers have been targeting people with Google Nest security camera footage as part of a widespread 'sextortion' campaign, according to Computer Weekly.
Affecting 1,700 people (mainly in the US), the scam was uncovered by email cyber security company, Mimecast, which said that the campaign started in early January.
A sextortion email scam is when perpetrators claim to have compromising footage of the victim – which they'll then surrender once they have been paid.
According to Addison, these emails can be safely ignored. She explained: “The campaign is exploiting the fact people know these devices can be hacked very easily and preying on fears of that.”
It is now widely known that many IoT (Internet of Things) devices lack basic security and are vulnerable to hacking, meaning that victims are more likely to believe the fraudsters’ claims, since the possibility of their device having really been hacked is highly plausible."
How the scammers gained access to the victims' email addresses or the Google Nest footage is unclear.




I’m increasingly concerned that the next war will be digital and most people won’t even recognize it when they see it. This is merely a start.
'We want to win the next war': US Army will revamp cyber operations to counter Russia and China
As warfare continues to enter the digital realm, the Army plans to transform its cyber operations branch into a full-scale information warfare command, according to a top U.S. general.
The service will convert Cyber Command into the Army Information Warfare Command, Army Chief of Staff Gen. James McConville said at a panel on Tuesday. It’s one of the several modernization efforts the Army is taking on to counter "great power" opponents like Russia and China.


(Related)
Companies increasingly reporting attacks attributed to foreign governments
More than one in four security managers attribute attacks against their organization to cyberwarfare or nation-state activity, according to Radware.




Open source…
How digital sleuths unravelled the mystery of Iran’s plane crash
Wired – Open-source intelligence proved vital in the investigation into Ukraine Airlines flight PS752. Then Iranian officials had to admit the truth: “..It’s not unusual nowadays for OSINT to lead the way in decoding key news events. When Sergei Skripal was poisoned, Bellingcat, an open-source intelligence website, tracked and identified his killers as they traipsed across London and Salisbury. They delved into military records to blow the cover of agents sent to kill. And in the days after the Ukraine Airlines plane crashed into the ground outside Tehran, Bellingcat and The New York Times have blown a hole in the supposition that the downing of the aircraft was an engine failure. The pressure – and the weight of public evidence – compelled Iranian officials to admit overnight on January 10 that the country had shot down the plane “in error”.
So how do they do it? “You can think of OSINT as a puzzle. To get the complete picture, you need to find the missing pieces and put everything together,” says Loránd Bodó, an OSINT analyst at Tech versus Terrorism, a campaign group. The team at Bellingcat and other open-source investigators pore over publicly available material. Thanks to our propensity to reach for our cameraphones at the sight of any newsworthy incident, video and photos are often available, posted to social media in the immediate aftermath of events. (The person who shot and uploaded the second video in this incident, of the missile appearing to hit the Boeing plane was a perfect example: they grabbed their phone after they heard “some sort of shot fired”.) “Open source investigations essentially involve the collection, preservation, verification, and analysis of evidence that is available in the public domain to build a picture of what happened,” says Yvonne McDermott Rees, a lecturer at Swansea University…”




How long before this technology is banned? (Unless the manufacturer is willing to give the FBI a backdoor?)
How to be anonymous in the age of surveillance
The Seattle Times: “Cory Doctorow’s sunglasses are seemingly ordinary. But they are far from it when seen on security footage, where his face is transformed into a glowing white orb. At his local credit union, bemused tellers spot the curious sight on nearby monitors and sometimes ask, “What’s going on with your head?” said Doctorow, chuckling. The frames of his sunglasses, from Chicago-based eyewear line Reflectacles, are made of a material that reflects the infrared light found in surveillance cameras and represents a fringe movement of privacy advocates experimenting with clothes, ornate makeup and accessories as a defense against some surveillance technologies. Some wearers are propelled by the desire to opt out of what has been called “surveillance capitalism” — an economy that churns human experiences into data for profit — while others fear government invasion of privacy…
Today, artificial intelligence (AI) technology, such as facial recognition, has become more widespread in public and private spaces — including schools, retail stores, airports, concert venues and even to unlock the newest iPhones. Civil-liberty groups concerned about the potential for misuse have urged politicians to regulate the systems. A recent Washington Post investigation, for instance, revealed FBI and Immigration and Customs Enforcement agents used facial recognition to scan millions of Americans’ driver’s licenses without their knowledge to identify suspects and undocumented immigrants…”




Train your dragon.
Stanford Researchers Publish AI Index 2019 Report
The Stanford University Human-Centered Artificial Intelligence Institute published its AI Index 2019 Report. The 2019 report tracks three times the number of datasets as the previous year's report and contains nearly 300 pages of data and graphs related to several aspects of AI, including research, technical performance, education, and societal considerations.
The report is the result of an effort led by the Institute's AI Index Steering Committee, a team of researchers and industry experts chaired by AI21Labs co-founder Yoav Shoham. This is the report's third year, and it includes updates of previous metrics as well as new ones. In addition to the report, the committee has released two web-based tools: the Global AI Vibrancy Tool for comparing data across countries, and the arXiv Monitor for searching pre-print research papers to track technical metrics.   According to the Committee's web site, the Index's mission is:
to provide unbiased, rigorous, and comprehensive data for policymakers, researchers, journalists, executives, and the general public to develop a deeper understanding of the complex field of AI.



No comments: