New York Governor Andrew Cuomo recently announced his proposal for a comprehensive data security law that will “provide New Yorkers with transparency and control over their personal data and provide new privacy protections.” The proposal also would establish a Consumer Data Privacy Bill of Rights that would guarantee “the right to access, control, and erase the data collected from them; the right to nondiscrimination from providers for exercising these rights; and the right to equal access to services.”
According to the state of New York’s website announcing the initiative, the proposal also “expressly protects sensitive categories of information including health, biometric and location data and creates strong enforcement mechanisms to hold covered entities accountable for the illegal use of consumer data. New York State will work with other states to ensure competition and innovation in the digital marketplace by promoting coordination and consistency among their regulatory policies.”
This proposal is promising and, if passed, it would mean that New York would join California in enacting a comprehensive consumer privacy law. We will follow the proposal closely to see if this new proposal will add to New York’s Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act), which passed in 2017 and established cybersecurity regulations for the financial services industry.
Indian news outlet Inc42 has reported that the ShinyHunters hacking group found some shiny objects when it was able to compromise the personal information of hundreds of thousands of individuals using the crypto exchange BuyUCoin.
The hackers were able to compromise and subsequently leak a BuyUCoin database that contained names, telephone numbers, email addresses, tax identification numbers and bank account information of users. Different reports say that the number of users who were affected by the compromise ranges from 161,000 to 325,000 users.
Although BuyUCoin initially denied the reports, it recently indicated that it is investigating and that no user funds had been affected.
Cybersecurity firm SonicWall Inc. is investigating an attack on its internal systems that it describes as “highly sophisticated.” According to SonicWall, the investigation is centered around its Secure Mobile Access 100 series, which assists with end-to-end secure remote access.
The company said that a few thousand devices have been impacted and that it is trying to determine whether the attackers exploited a zero-day vulnerability in the SMA 100 series product.
Although it sounds very similar to the recent SolarWinds cyber-attack, it is presently unknown whether this incident is related to that attack or if it was caused by the Russian-based attackers behind the SolarWinds incident.
It is clear that cybersecurity firms are being heavily targeted by cyber-attackers and are not immune from the onslaught of cyber-attacks we are seeing across the board in every industry. It also emphasizes the fact that there is no ability to completely transfer cyber risk. Data security is a team sport. Reasonable cyber-hygiene inside your organization, while using outside tools to augment your security posture, are both ways to minimize risk, but hackers are using more and more sophistication in their attacks, which present risk internally and externally. What is crystal clear from these attacks on cybersecurity firms is that cybersecurity and vendor management must continue to be a high priority for organizations in order to manage cyber risk.
Users of the Parler social media platform who participated in the riots last week at the U.S. Capitol are reportedly uneasy following the announcement that several activist hackers archived posts as they were happening in real time during the riots, and that they will release the posts publicly to assist law enforcement with investigations. Another activist hacker is reported to have said that she archived material as it was being posted to show how the platform was used to plan the attack and for communication by participants during the assault.
Parler is reported to have been a popular mode of communication during the months leading up to the election last fall after Facebook and Twitter began reviewing and labeling content that was false or misleading.
One of the activist hackers alleges that she archived 30 terabytes (equal to 30,000 gigabytes) of publicly-available posts of the events leading up to and during the riots so they would be preserved before the platform was taken down, which occurred on Monday.
Some of the data that were archived includes legally-obtained GPS data while posts were made by those participating in the riot. The GPS data show that Parler users were posting videos and pictures while they were inside the Capitol, including both chambers of Congress and offices of some politicians.
U.S. intelligence agencies, including the FBI, the Office of the Director of National Intelligence, the National Security Agency and the Cybersecurity and Infrastructure Security Agency, have confirmed that Russia was behind the SolarWinds hack. It is reported that the FBI is investigating whether Russia hacked into project management software JetBrains’ TeamCity DevOps tool to originally plant its malware in SolarWinds Orion, causing a cascade of downstream opportunities for Russia to access numerous governmental agencies’ systems, as well as thousands of private company systems.
In the fall-out, the Department of Justice, which includes the FBI, the Drug Enforcement Agency and the U.S. Marshal’s Service, announced this week that 3 percent of its employees’ emails were compromised as a result of the SolarWinds hack. This is very concerning and shows the magnitude and seriousness of the incident.
In more disturbing news, Microsoft has confirmed that the hackers behind the SolarWinds incident were able to access its systems and that some of its source code was viewed by the hackers. Notably, Microsoft confirmed that the code was not modified and that the Russians did not access its products or services, including customer information.
Cybersecurity firms are offering free solutions for companies to use to identify the SUNBURST malware variant and whether they have been affected, including Palo Alto Networks and SentinelOne.
We will continue to see significant fall-out from this devastating incident. If your company has not assessed its risk of being affected by the SolarWinds hack, you may wish to consider devoting time and resources to help make that determination now
The maritime industry is an enticing target for hackers. The Port of Los Angeles (the Port) alone facilitated about $276 billion in trade last year, and the International Chamber of Shipping estimated that the total value of world shipping was around $14 trillion in 2019. The Port has plans to construct a multi-million-dollar cyber intelligence facility as a hub for information sharing between the public and private sectors to thwart the increasing attacks on the maritime and logistics industries. This facility, the Cyber Resilience Center, is one of the first of its type to be built in the United States. The Port’s Executive Director, Gene Seroka, said, “What we’ve noticed over time is that the potential penetrations and cyber threats have grown each and every year,” including incidents like the 2017 NotPetya attacks that affected shipping lines, the 2018 ransomware targeting of the Port of Long Beach, and the October 2020 ransomware attack on CMA CGM S.A., a French transportation and container shipping company. Seroka said that as the threat become more evident, the Port “needed to find a way to bring the private sector into this space as well.” The Cyber Resilience Center is expected to go live by the end of 2021. Participants in this information exchange will be able to share information anonymously through the platform, which will standardize data from different companies’ cybersecurity tools. The Port’s Chief Information Officer will lead the project, which will operate alongside the Port’s cybersecurity operations center.
Seroka said that he hopes the Cyber Resilience Center will be a model for other large ports across the United States since information-sharing is such a vital defensive tool. As the shipping industry becomes even more digitized, cyber threats will require facilities such as ports to prioritize set data standards, business rules and open architecture for facilitating information sharing in a secure, protected manner.
The Office of the Comptroller of the Currency, Treasury (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) recently announced a “Notice of Proposed Rulemaking for the Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers.” This new rule would require a banking organization to provide prompt notification to its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident” no later than 36 hours after the banking organization believes in good faith that a notification incident has occurred. According to the information released jointly by the agencies, they anticipate that a banking organization would take a reasonable amount of time to determine that it has experienced a notification incident. Notification would be required only after that determination was made.
The proposed rule defines both a “computer-security incident” and a “notification incident.” Notification incidents trigger the notice to federal regulators. Some examples of notification incidents include large scale outages denial of service attacks that disrupt service for more than four hours, widespread system outages caused by service providers of its core banking platform, hacking and malware that causes widespread outages, system failures that result in the activation of a disaster recovery plan, and a ransomware attack that encrypts a core banking system or backup data.
In their notice, the agencies state that it is important that the primary federal regulator of a banking organization be notified as soon as possible of a significant computer-security incident that could jeopardize the viability of the operations of an individual banking organization, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector.
The proposed rule would apply to the following banking organizations: national banks, federal savings associations, and federal branches and agencies; U.S. bank holding companies and savings and loan holding companies, state member banks, and the U.S. operations of foreign banking organizations; and all insured state nonmember banks, insured state-licensed branches of foreign banks, and state savings associations.
The agencies are seeking public comment on all aspects of the proposal including 16 specific questions related to the proposal. Comments must be received within 90 days of publication of the proposed rules in the Federal Register.
As the holiday shopping season comes to end, consumers should still be aware that hackers are sending fake delivery notifications appearing to come from companies like FedEx and UPS, especially as the last few days of package arrivals pass by. The hackers’ messages prompt consumers to enter their personal information like credit card information to resolve an issue with package delivery or immediately launch malware or ransomware upon clicking a link. According to a recent CNBC report on this ‘shipageddeon’ launched by hackers, one consumer received an email message appearing to be from UPS informing him that his package could not be delivered. Once he clicked the link provided to solve the issue, his screen started flashing and his computer was encrypted with ransomware requesting 150 bitcoins (or about $66,000). Upon the consumer’s refusal, his computer was wiped clean.
According to the CNBC report, fraudulent delivery messages rose by 440 percent from October to November, according to data from cybersecurity firm Check Point Software Technologies. Overall, fraudulent shipping messages overall rose 72 percent since November 2019. Don’t fall victim to these scams -at a minimum before clicking on a provided link or offering up your personal information make sure that the messages include correct spelling and company logos.
To file in the “no one is immune from a sophisticated attack,” category, well-known and respected security firm FireEye publicly announced this week that it has experienced an attack by a state-sponsored (which means a foreign government) hacking group, which successfully obtained its “red team tools.” This is very concerning, as the red team tools include the “special sauce” FireEye uses to test its clients’ security maturity and vulnerabilities, and could be used as a roadmap for adverse nation states to hack into the U.S. government’s or private companies’ systems.
Kudos to FireEye for making this public so the U.S. government, critical infrastructure and private companies can be on the alert for the tools to be used against them. FireEye has stated that it is working on over 300 countermeasures to assist in combatting the use of its proprietary tools by these adverse threat actors.
Unfortunately, this incident is a cold, hard, awful reminder that even the most sophisticated security firm can become the victim of a cyberattack, and since that is the case, all companies are at extreme risk of an attack and exfiltration of data.
FireEye appears poised to assist in combatting the effects of the incident, so keep a close eye on those measures. We will keep you updated as well.
Brazilian airplane manufacturer Embraer’s data has reportedly been uploaded on a dark web website hosted by ransomware group RansomExx (a/k/a Defray 777) after Embraer reportedly refused to pay a ransom following a ransomware attack last month.
According to ZDNet, the hackers uploaded company files containing “samples of employee details, business contracts, photos of flight simulations, and source code, among others.”
In leaking the data and making it publicly accessible, sometimes selling it at auction, is designed by the attackers to put pressure on the company to pay the ransom to avoid legal obligations and regulatory fines or penalties, or to avoid access to confidential data by competitors and adversaries that can be used against the company.